Connecting delayed pre-commitment with cyber awareness to address the perception gap and present bias
The Home Office
October 2018 - April 2020
Coventry University Project Team
DMU, KITC Solutions of University of Kent
We are also working closely with law enforcement, including Kent Police and Leicestershire Police
The project is funded by the Home Office and addresses the challenges of protecting small businesses and charities against cyber-crime. There are a variety of government campaigns (such as Cyber Aware and Cyber Essentials) designed to inform and educate organizations about the cyber threat. Unfortunately many small organizations do not heed the advice and are vulnerable to attack. Indeed, around a half of small organizations suffer a cyber-breach in any one year and so it is a case of when, not if, a company will be attacked. The consequences of an attack for a small business can be severe, including bankruptcy.
There are some simple actions that organizations can take to dramatically reduce the damage from a cyber attack. These include the use of two-factor authentication and staff awareness of mandate or invoice fraud. With this in mind, our project has two main aims: First, to explore the barriers that small organizations face in adopting cyber best practice. Second to test an intervention designed to increase the likelihood of organizations adopting best practice.
We are aiming to inform current policy towards cyber-security in small organizations. To help achieve this we are working with the Home Office, National Cyber Security Centre, regional law enforcement and other partners. Cyber-security is a serious and growing threat for small organizations and so anything we can do to reduce the threat can make a positive difference to society. We plan to continue working on this topic to help drive improvements in cyber-security.
A number of organizations have received the health-check and obtained valuable feedback on their cyber-security capability. Our engagement with small businesses and charities has also helped us to identify a number of significant barriers to best practice. In short, far too many businesses think that cyber-security is not a priority for them. There are a variety of reasons for this. Some think they are not reliant on cyber, despite having email, using an online bank account, reporting tax online etc. Some think that they are cyber-safe, particularly those that out-source cyber-security, but significantly underestimate the sophistication of social engineering used by criminals. Others think that they are too small to be attacked despite the evidence that small organizations routinely fall victim.
Project press release.
This project is part of the RISCS interdisciplinary research community.