“You can lead a horse to water,” says Doctor Lee Hadlington, Associate Professor of Cyberpsychology at De Montfort University in Leicester. He doesn’t hide his exasperation. “Until a company gets attacked, or they know someone that’s been attacked, they won’t do anything to protect themselves.
Lee’s core area of expertise is “the human factors in the context of cybersecurity and susceptibility to cybercrime.” And Avast wants to know why small business owners (SMBs) so often ignore cyberthreats and fail to protect their livelihood – often one they have built themselves.
For many people in the antivirus and tech media industries, there is confusion as to why businesses – SMBs in particular – don’t protect themselves against constant and often successful threats from cybercriminals. Stories make headlines and stats back up the impact of attacks. For example:
- CNBC report that only 21% of small- to medium-sized U.S. businesses are ready to manage IT security and protect against threats
- Due to data breaches, 22% of businesses lost customers, 29% lost revenue, and 23% lost business opportunities
- Beaming reported that attacks on UK businesses were up 27% in Q1 of 2018.
Small business owners lock their doors, have security cameras, get building insurance and have passwords for certain things, yet they often choose to leave the big door to the internet open and unprotected. And that leaves them vulnerable to cyberattacks.
We want to know why.
This is the first in a two-part interview with Dr. Lee. The second part explores “The psychology of cybercriminals and internet scams” to help small businesses understand why cyberattacks happen and how they can fight back.
Why do businesses ignore threats?
When we look at the stats, it’s clear that there’s a disconnect between the number of SMBs attacked and the amount of protection they invest in. Cyberattacks cost small business millions and around half will suffer attack, and yet so little is spent on prevention.
We asked Lee why so many SMB owners choose to not protect digital assets properly, despite the threats, the news, and the stats.
“It comes down to plausible deniability,” he explains. “We’ve tried to talk to small to medium-sized enterprises (SMEs) and business owners about cybersecurity. I spent a year trying to get SMEs involved in the work we were doing to try to help them understand and mitigate the risks.”
Lee explains the problem: the person with three members of staff, a website, and some online banking doesn’t see cybersecurity as essential. Business owners’ priority is profit – making sure they stay in business.
“Three months later,” Lee continues, “when he or she is the victim of a ransomware attack and they lose £10k, all of a sudden, cybersecurity becomes the focus.”
But, as he states, it’s too late.
Facts, stats and figures
Some suggest that people don’t want to pay for antivirus because it feels distant or intangible. Some people feel antivirus is a scam and doesn’t really protect you. Others rely on the ‘it’ll never happen to me’ approach. But people buy home insurance and car insurance even though they think it’ll never happen to them. And many people believe in superstitions even though they have no empirical evidence for them.
It is interesting – if not concerning – that this psychology does not translate when it comes to cybersecurity.
Lee explains how research shows that most people don’t understand statistics, adding that even if they do, they don’t believe them. It’s the old phrase: ‘99% of statistics are made up on the spot’.
“Most people think I’m trying to sell them something,” says Lee of his own research. “What I need people to think is, we’re not trying to sell you something, we’re trying to help you protect yourself. We want to save you money in the long run.”
His frustration is the core issue with cybersecurity: “People think: if it’s never happened to me. If it hasn’t happened for the last 20 years, it might never happen to me. So, why would I spend money and time and effort in doing these things?
Excuses, excuses, excuses
Avast has looked for businesses to share their stories of being hacked but understandably few are happy to go public. Uber famously paid hackers $100,000 to keep a data breach quiet. This means we may know small businesses that have been attacked but they just aren’t saying, so everyone will continue to think ‘it won’t happen to me’ – until it does.
Lee challenges the assertion, asking whether ignorance not taboo is to blame for certain generations’ inertia. “Or is it just plausible deniability?”
He admits that shame might play a role for older generations.
“We have what I call ‘A&E syndrome’,” he says. “Members of the older generation who walk around with a broken leg for three weeks because they ‘don’t want to be a bother’. We see this sometimes with older victims of cybercrime: they are ashamed that they get duped, but, they don’t think it’s serious or don’t know where to go for help!”
SMBs are altogether different. They have limited resources and have to prioritize and many are family businesses.
“I know of at least one local organization where the boss has his 14-year-old son doing their cybersecurity …because ‘he knows computers!’.”
Reality is subjective: if you have never been attacked, that is your reality. Until it’s not.
Lee explains that this is a fundamental heuristic reaction, a fundamental aspect of human cognition: if it’s never happened, it won’t happen. This means businesses will continue to get attacked, lose money and, sometimes, go out of business.
“If everyone thought it was going to happen to them, they’d all train their teams to spot suspicious emails and links and not use unsecured public Wi-Fi,” says Lee. “They’d all have solid antivirus and there would be no cybercrime because it would never work.”
Attitudes to cybersecurity: employers vs employees
Lee and his team researched people’s attitudes towards business-related cybersecurity and describes their findings:
“Owners have a vested interest – it’s their life and their livelihood. But employees go to work to do work and get paid for it, so they don’t see it as their responsibility to protect the company from cyber risks, that the managers should do that. Also, employees said, ‘I don’t know what I’m doing!’ how can I be responsible for it?
The team’s research also found:
- 98% of employees said it was the manager’s responsibility (“That means the majority of people working at companies don’t care about cybersecurity.”)
- Most people don’t know how to report an attack or a suspicious email
The implications of this are concerning. If people don’t care about cybersecurity, what are the business risks because of that? And if people aren’t reporting attacks, what happens? Will they just sit there and watch it happen?
These are important obstacles for SMBs to overcome.
What can be done to help SMBs?
The Associate Professor and Avast Business team share a mission: to help protect SMBs from cyberattack.
“We need to change the mindset of SMB owners and managers so that they engage with the issues,” he says.
“You can give businesses lots of information on cybersecurity, but, at the end of the day, if they or their employees aren’t interested, there’s not a lot we can do. It’s frustrating from an academic point of view: all I want to do is help businesses engage with the problem. We go in and offer our services for nothing and they don’t want to engage.”
It seems that companies think: if we don’t know about it, it won’t happen to us.
“The way that we communicate risk has to change. We [as academics] need to do something to understand what they want. What do they understand and how do we make it more usable for them?”
Lee is an academic, but works with practical applications. His aim isn’t just to publish papers, he wants to help businesses succeed.
“I wish companies realized that I’m not coming in to air their dirty laundry. I don’t care if 60% of your organization think it’s ok to share passwords, I just want to use that information to make recommendations – what can we actually do about it?”
“I just want someone to knock on my door and say, ‘yes, I’m interested in working with you’. I’ve got a list of things a mile long that I could do with companies and organizations that would help them.”
Lee wants to explore the negative attitudes SMB owners or their staff have towards cybersecurity, so that he and his team can help businesses to protect themselves.
“We could even save organizations money,” he says, explaining that SMBs might well be doing training that has no use whatsoever. “The amount of money that organizations spend on useless training is astounding.”
Finally, he says: “I’d love to go to the world’s top 100 companies and say: ‘Look, I don’t want a million pounds from each of you. Just cover my costs to support the research and give me access to your employees so we can build an arsenal of information that allows us to identify your risks. Why is the risk there and how do we mitigate against it? What can we do that could shape your employees’ attitudes toward cybersecurity and help protect your business against cybercriminals?’”
About Lee Hadlington
Dr Lee Hadlington is a Chartered Psychologist and Associate Professor within the Health and Life Sciences faculty, part of the School of Applied Social Sciences at De Montfort University, Leicester in the UK.
His research covers the psychological effects of various aspects of the internet and, in particular, cybersecurity. His research publications include: Is Media Multitasking Good for Cybersecurity?, The ‘Human Factor’ In Cybersecurity: Exploring the Accidental Insider and Exploring the Psychological Mechanisms used in Ransomware Splash Screens.
Protecting small business from cyberattacks
Learn more about Avast Business Managed Antivirus endpoint protection software.