Reality check: Is outsourcing cyber-security the answer?

Cyber-security can seem like a complex world. It is, therefore, not a great surprise that a number of small businesses take the option to outsource cyber-security to an IT firm or otherwise. The extent of the issue is clear from the graph below which plots data from the government’s 2018 Cyber Breaches Survey. You can see that over 60% of small and medium businesses use an outsource provider. For micro businesses and charities the proportion is less but still over 40%.

Outsourcing also happens across all sectors, although there are some interesting differences between SMEs and large businesses. If we look at SMEs (the orange bars in the graph below) then 70% of businesses in finance or insurance outsource compared to just 30% in information or communication. In large businesses it is health, social care or social work where we see the most outsourcing. In all sectors, though, around a third or more of businesses are outsourcing. So, does that solve the cyber-security problem?

There are two big issues with outsourcing as a solution to cyber-security:

1. There are rogue providers who will (through incompetence or worse) not provide a good service. And, unfortunately, there is currently no regulation of cyber-security providers. So, it is vital that businesses do their homework and find a cyber-security provider who is qualified and competent. It is also worth highlighting that cyber-security providers are an ideal target for cyber-criminals and so the decision to outsource may even expose the business to more risk. This is not to say that there are not great cyber-security providers out there – we have interacted with many during this project – but care is needed. For more on this see a National Cyber Security Centre report.
2. Most cyber-crime, particularly for small businesses, involves social engineering. In short, staff will be induced to do things they should not have. Outsourcing can only go so far to stop this happening. Or put another way, the provider should include cyber-security training for staff as a core part of the service they offer. A service that solely focuses on firewalls and other ‘technical’ solutions is not going to solve the problem.

Overlapping both of these issues is the fundamental need for businesses to become more cyber-aware, even if they still decide to outsource. There is an incentive for the cyber-security industry to make cyber-security seem more complicated than it really is – that builds demand for their services. Solutions to cyber-security are, though, to be found in demystifying the complexity of the problem and empowering businesses to take control. Outsourcing has a fundamental role to play in cyber-security but we arguably some way off getting the balance right at the moment.