Enhancing Cyber Resilience of Small and Medium-sized Enterprises through Cyber Security Communities of Support

通过网络安全支持社区增强中小企业的网络弹性

• 批准号: EP/X037282/1
• 负责人: Steven Furnell
• 金额: $ 88.09万
• 依托单位: University of Nottingham
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2023
• 资助国家: 英国
• 起止时间: 2023 至 无数据
• 项目状态: 未结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FX037282%2F1
• 关键词: Enhancing; Cyber; Resilience; Small; Medium

Small and Medium-sized Enterprises (SMEs) are a vital element of the economy, accounting for 99.9% of UK businesses, generating three fifths of employment and turnover of £2.3 trillion. They are a crucial asset requiring protection as part of our overall national resilience. Unfortunately, the UK Cyber Security Breaches Survey indicates that half of small and a third of micro businesses experienced breaches or attacks in the last year. Moreover, while they frequently seek external guidance in relation to cyber security, they do so via a huge range of sources, and often find themselves overwhelmed with information and unable to understand the advice. Research is required to better understand SME needs and the perspective of those that they turn to for support, and to then use these insights as a foundation for the design and evaluation of a new and more accessible approach. The research begins with an investigation of the support needs of small businesses, to establish their current understanding and confidence around cyber security, and their awareness and perceptions of available support. The investigation will seek to determine the scenarios in which cyber security advice is sought (e.g. during product evaluation, at point of purchase, in response to threats and incidents), and whether it is deemed effective. In parallel, the project analyses support routes available to these businesses, with focus upon the coverage and consistency of advice, as well as the confidence and capacity of those providing it. This will include a range of online and in-person sources, in order to capture the diversity of routes that businesses themselves tend to pursue, and will include those specifically designated to provide support (e.g. Cyber Resilience Centres) and those that may find themselves facing cyber security queries when potentially less well-placed to handle them (e.g. retailers). From these foundations, the research then conducts more detailed analysis of business and advisor experiences by tracking individual support journeys as they occur. This offers more direct intelligence on the nature and volume of support being sought, as well as the extent to which the requests led to an effective outcome. The analysis delivers a series of case studies identifying factors that led to successful or unsuccessful outcomes. The findings inform activities to enhance support provision through the design, implementation and pilot evaluation of Cyber Security Communities of Support (CyCOS), representing local collaboration and cooperation between SMEs and advisory sources. The foundations include the creation of an online Support Broker, enabling the SMEs to identify support needs and contact advisory sources positioned to help them (which, as the community develops and grows in experience, may include peer support from other SMEs). In parallel, the project offers upskilling opportunities for advisors and interested SMEs, via foundational cyber security certification to increase their related knowledge and capability. The project will then trial the operation of the CyCOS via three pilots. This will enable practical evaluation of the approach, culminating an established and repeatable model that can then be adopted more widely. The delivery of the research is supported by relevant industry partners, including those providing expertise and resources to support the CyCOS, and those offering channels for engagement with the SME community. Partner representatives will form an Advisory Board, meeting regularly throughout the project, offering input and feedback to further guide the activities. The resulting 30-month project contributes to national resilience by addressing an area of existing vulnerability and potential compromise. It will enhance understanding of SMEs' cyber security support needs and the ability to address them, while enabling SMEs themselves to recognise and embrace a core aspect of their digital responsibility.

中小企业是经济的重要组成部分，占英国企业的99.9%，创造了五分之三的就业机会和2.3万亿英镑的营业额。他们是一项重要资产，需要作为我们国家总体复原力的一部分加以保护。不幸的是，英国网络安全漏洞调查显示，去年有一半的小型企业和三分之一的微型企业经历了漏洞或攻击。此外，虽然他们经常寻求与网络安全有关的外部指导，但他们是通过各种来源这样做的，而且经常发现自己被信息淹没，无法理解这些建议。需要开展研究，以更好地了解中小企业的需求和它们寻求支持的对象的观点，然后利用这些见解作为设计和评价新的、更容易获得的办法的基础。该研究首先调查了小企业的支持需求，以建立他们目前对网络安全的理解和信心，以及他们对可用支持的认识和看法。调查将试图确定寻求网络安全建议的场景（例如，在产品评估期间，在购买时，在应对威胁和事件时），以及它是否被视为有效。与此同时，该项目分析了这些企业可用的支助途径，重点是咨询的覆盖面和一致性，以及提供咨询者的信心和能力，其中包括一系列在线和面对面的来源，以了解企业本身倾向于采用的途径的多样性，并将包括那些专门指定提供支持的机构（例如网络弹性中心）以及那些可能面临网络安全查询但可能不太适合处理这些查询的机构（例如零售商）。 在这些基础上，该研究通过跟踪个人支持旅程，对业务和顾问体验进行更详细的分析。这提供了关于所寻求的支持的性质和数量以及请求在多大程度上导致有效结果的更直接的情报。该分析提供了一系列案例研究，确定了导致成功或不成功结果的因素。 调查结果为通过网络安全支持社区（CyCOS）的设计，实施和试点评估加强支持提供的活动提供了信息，代表了中小企业和咨询来源之间的本地协作与合作。这些基础包括创建一个在线支助经纪人，使中小企业能够确定支助需求，并联系能够帮助它们的咨询来源（随着社区的发展和经验的增长，可能包括其他中小企业的同行支助）。与此同时，该项目通过基础网络安全认证为顾问和感兴趣的中小企业提供技能提升机会，以增加他们的相关知识和能力。该项目将通过三个试点项目测试CyCOS的运行。这将使实际评估的方法，最终建立一个既定的和可重复的模式，然后可以更广泛地采用。研究的交付得到了相关行业合作伙伴的支持，包括那些提供专业知识和资源以支持CyCOS的合作伙伴，以及那些提供与中小企业社区接触渠道的合作伙伴。合作伙伴代表将组成一个咨询委员会，在整个项目期间定期开会，提供意见和反馈，以进一步指导活动。由此产生的为期30个月的项目通过解决一个现有脆弱性和潜在危害的领域，促进国家复原力。它将加强对中小企业网络安全支持需求的理解和解决这些需求的能力，同时使中小企业自己能够认识和接受其数字责任的核心方面。