SMEs need to think more about IT security

22. April 2022

August 2021 – May 2022

Small and medium-sized enterprises take the risk of cyberattacks very lightly. The project ‘Data Security as a User Problem’ examines companies’ routines to set up a solution catalogue.

Often, IT security training and the right technical solution are not sufficient to make small and medium-sized enterprises (SMEs) understand the need for a higher level of cyber security than what most of them have today. Thus, a new project shows that other factors must be considered, of a completely different nature and depth.

‘It is a very distant notion for many companies that their data security might be threatened. You might say that security awareness does not always include the digital side of the company’, says Johannes Wagner, Professor, Doctor of Philosophy at the University of Southern Denmark and project lead for the Cyberboost project ‘Data Security as a User Problem’, supported by Danish Cyber Hub.

The project will result in concrete proposals for disseminating technically complex information to employees about the handling of IT security, tailored to several types of companies.


Pragmatic relationship to IT security
Before the start of the project, the participants found that small and medium-sized companies’ approach to IT security is characterised by a lack of knowledge about the need for – as a minimum – basic interaction with an IT security system. It is the experience of the project partner, the security company Derant, which specialises in network monitoring and detection of cyber threats, that self-understanding can be a problem for SMEs. In a previous project, various organisations were asked to rate their safety on a scale of 1 to 10, and all were at the very top.

‘Then afterwards, when we have talked to them about IT security and created an understanding, they have gone much lower on the scale because they now realise their lack of knowledge. Businesses are rapidly going digital and becoming deeply dependent on digitisation but will not spend money on IT security. It is very problematic’, says Michael Lentge Andersen, partner at Derant.

The lack of awareness of IT security is confirmed in a study conducted by students from the University of Southern Danmark, involving several smaller organisations, many of which had a very ‘pragmatic’ relationship to IT security.

‘We cannot demand that they have a deeper knowledge of IT security, but it means that they are not able to anticipate adverse incidents’, says Johannes Wagner.

Unfamiliar discipline at waterworks

In the project, the partners look at, for example, waterworks as a line of business, since waterworks are part of the critical infrastructure in Denmark.

The waterworks structure is characterised by smaller plants – often run by volunteers – and here, IT security is an unfamiliar discipline, similarly to many other small and medium-sized companies. IT security is abstract, and it is difficult to imagine just how vulnerable you are. At the same time, there is a lack of focus on and knowledge of specific IT security solutions that match the specific needs of the individual waterworks.

So even though waterworks are usually surrounded by physical fences protecting them against unauthorised intrusion, digitally, they are hardly protected to the same extent. Thus, waterworks are a good example of organisations that are both nationally and internationally attractive targets for hackers and therefore need advanced security systems.

Look into the routines

In the project, classic measures such as surveys and interviews have been discarded in favour of a more ethnographic approach to data collection. This was done to establish the waterworks employees’ daily routines and how to get IT security integrated into the routines.

‘We start by observing them, looking at their plants and equipment. And later, we have open conversations where they must show us what they do. So, we need to go deeper into the routines, because otherwise, we do not know how we can integrate data security as part of the users’ behaviour’, says Johannes Wagner.

Finally, a catalogue of different solutions suiting the IT equipment of various SMEs will be presented. Beforehand, proposals will have been tested through workshops, where users help to assess the type of reminders that works best for them.

‘The challenge is that people need to remember to do certain things to secure the organisation so that they know if they have done it when they walk out the door. It can be something other than digital solutions – like a note on the wall or some sort of alarm’, explains Johannes Wagner.

At Derant, they hope to find a method to communicate the necessity of think in terms of IT security:

‘Because security, digitisation and operational and supply security are inextricably linked, says Michael Lentge Andersen.

Facts

Project title: Data Security as a User Problem
Project period: August 2021 – May 2022
Project partners: the University of Southern Denmark and Derant
Financing (including support from Cyber Hub): DKK 305,325 (DKK 243,575)

Back