Investigating the experiences of providing cyber security support to small- and medium-sized enterprises

Small- and Medium-Sized Enterprises or SMEs comprise of 99.9% of all businesses in the UK and make a significant contribution the overall economy. In UK’s path to digitalisation, ensuring the cyber security and resilience of SMEs becomes an integral element that must be adequately safeguarded to protect national interests. Despite playing a crucial role, there is limited research on SMEs adopting cyber security practices, becoming cyber secure or improving their resilience to attacks. To examine this journey, a qualitative study was designed to learn from the experiences of organisations that provide cyber security advice or solutions. The three aims of the study were to: 1) understand the various types of support offered by providers; 2) topics for which support is sought and the circumstances that trigger the need for assistance; and 3) the perceived effectiveness of the support provided, associated challenges and opportunities to improve from the lived experiences of providers. Following semi-structured interviews with 12 participants, findings confirm results presented in earlier literature and provides new insights. Each participant had exposure to numerous SMEs, in some instances hundreds, at a regional or national level due to their roles at their respective organisations. The inherent knowledge gained from this exposure results in each participant’s experience representing the cumulative experience of several SMEs as opposed to a singular view of one. We conclude that there is a vast amount of cyber security related content aimed at SMEs and our findings reveal providers are playing an assistive role in the understanding, education and implementation of cyber security defences. Despite significant efforts being made, cyber hygiene amongst SMEs remains low and they are unlikely to proactively reach out for support. Additionally, SMEs have low knowledge levels and are hampered in their efforts due to comprehension, capability, attitudes, and resources whilst providers face numerous internal and external challenges when delivering this support. Insights from data reveal several opportunities for improvement can be realised through the creation of security focused communities that can provide support, collaboration and learning.