Ask that question amongst said SME Owners and Founders and I strongly suspect that you’ll get some differing answers, and possibly some colourful language.  But I also suspect that there will be several recurrent themes.  Chief amongst them will be that they feel they are being pressured into buying this or that solution and get inundated with sales emails.  The use of FUD, Fear Uncertainty and Doubt, is also a real irritant, and with good reason.  Keep crying wolf and the message starts to get samey and eventually ignored.  That of course is a big problem because regardless of the FUD, the dangers are very real.

I tend to come back again and again, probably boring the pants off people, with the argument that relying on your local IT provider to give you good advice and guidance on cyber security, is a major part of the problem.  They will almost always push the technical solution.  Their focus is on selling hardware and software, whereas cyber security is first and foremost a business issue, not an IT issue, and many of the protections needed revolve around people and process, not technology.  Pushing that thought though, is an anathema to the IT support company because, firstly, they don’t get it any more than you do, and secondly, it doesn’t sell licences.

Conversely though, an SME neither needs, not can afford, a full time cyber security professional on staff, and for that matter, neither can the IT support company.  So what’s the answer?  Now this is where I get accused of trying to sell in my services, rather than giving good advice.  I would counter that by saying that taking my services is taking good advice.  I can provide over 20 years of experience in cyber security to an SME, or indeed a startup, using a day or half day rate, and providing advice and guidance when it’s needed, without breaking the bank.

I usually start with telling the Board that SMEs should prioritise cyber security awareness training for all employees. This training should cover topics such as recognizing phishing emails, creating strong passwords, and safely using company resources etc.  Crafting a programme is not difficult and delivery can be automated, keeping time away from the day job to an absolute minimum.  Those that read my stuff regularly will no doubt not be at all surprised that I push this.  Cyber awareness training is the quickest win any SME can undertake, and it’s not expensive.

Keep in mind that a successful cyber attack can disrupt operations, compromise customer data, and lead to financial losses. For SMEs, which often rely heavily on customer trust and loyalty, a breach can tarnish their reputation and erode the confidence of existing and potential clients.

What most SMEs lack is the understanding that they have a responsibility for continuous improvement.  Having said that technology comes third after people and process, it is still extremely important when examining threats to the business from hacks and scams.  A business owner needs advice, guidance and recommendations for continuous improvement of the processes and solutions required to provide adequate defences.  How many SME owners have the time to keep up with the latest cyber threats?  How many have a good handle on the latest scams, an understanding of how well cyber criminals are getting to grips with AI and using it to create new attacks and scams, and to update existing ones.  Not many SME owners have that time to spare, if any.

How many SMEs can devise a cyber security strategy that provides not just the answer to the threats today, but can grow and flex with the business, taking into account the latest threat assessments?  For that matter, how many local IT support companies have the skill set to do that, and indeed, the inclination to do that?

Advice and guidance is needed to identify and prioritise security controls based on the specific needs of that particular SME, enabling them to allocate resources effectively and efficiently, in order to proactively and significantly reduce the risk of successful cyber attacks.

And very importantly this approach allows an SME to target their very limited spend on what the risk to the business actually is and to ensure that the protections being put in place are what is needed, and that it is giving value for money,