One thing we commonly hear from small businesses goes something like: ‘cyber-security is not a problem for us because we do not use digital’. This attitude almost certainly means the business misunderstands the nature of the cyber threat. Every small business is at risk of cyber-attack, even if digital is not a core part of the service provided to customers.
To illustrate why consider some data from the governments 2018 Cyber Breaches Survey. The survey includes a question asking whether online services are a core part of the business. The results are below, split by size of business. You can see that over a half of micro and small businesses say that online services are a core part of the business. Clearly these rely heavily on digital and are at risk to cyber-attack. Even so, that leaves around 45% who say ‘not at all’.

Let us look in more detail at those who said ‘not at all’. Other questions in the survey ask respondents whether they use specific online services such as a company email or website. Every single business said they used at least one online service. As you can see in the chart below the vast majority of businesses had an email address and website. And over half held personal information about customers or had a bank account into which clients paid money.

So, is there a business who ‘does not use digital’? According to these stats the answer is no. Sure, some businesses are exposed to more cyber risk than others. For instance, an online bank account into which clients pay could leave a business more open to mandate fraud. But all businesses are exposed to some risk. A website could be defaced, an email account hacked, financial accounting data encrypted by ransomware etc.
The challenge for us is how one can change attitudes away from ‘we do not use digital’. The classic stereotype of cyber-security is surely unhelpful here because it creates the image of a guy in a hoodie hacking into complex computer systems. The average plumber, electrician or hairdresser may understandable think ‘what has that got to do with me’.
One possible solution is to refocus the discussion on more practical questions: Where do you store and record financial accounts and tax data? How do you advertise your business? How do you receive and give money to clients and suppliers? Where do you store data about customers? The answers to those questions are almost certainly going to involve cyber-space. Such reframing of the issue may, therefore, get businesses to think a bit more deeply about the threats they face and how they can deal with them.