During both formal and informal discussions during the 2018 CSO Roadshow held in Perth, Sydney and Melbourne, it was clear that the hardest sector to penetrate with effective cybersecurity awareness and education programs are SMBs. And while AustCyber's CEO Michelle Price noted that not only did SMBs account 96% of the Australian economy, most didn't realise they were cyber-businesses to some degree. Every business was dependent in various ways on the Internet and the connectivity it delivers.
Enex Carbon has seen this challenge and is meeting head on through a number of new products and services targeted at this traditionally challenging, but incredibly important sector.
Their new service, CarbonCore , provides access to policy material, standards and guidance that is written in layman's terms for an audience that, most likely, doesn't recognise that they may even have a cybersecurity problem. The language is deliberately non-technical and focusses on showing relevance.
"The primary problem is that the services and solutions in the market today aren't focused on small business," said Mark Jones, the CEO of Enex Carbon. "They don't have the ability to tap into what businesses at the larger end of the scale have access to".
Jones pointed out that the normal sales process for a security vendor could involve many weeks of discussions and negotiations until the right solution was put together for the customer. When that transaction is worth tens of thousands of dollars, that kind of engagement makes sense. But with an SMB, who may only be able to spend tens or hundreds of dollars per month on a solution, the industry's model doesn't work.
"Small business just aren't on the radar to spend three months on a sales cycle," Jones explained. "They're still at risk and have information they want to protect but they're not getting any attention from anybody that knows how to do that. It's not commercially viable".
CarbonCore is a suite of tools, assessments, methods and ways that engage SMBs. They are scalable and accessible so that they can be used by lots of small business clients at the same time. This approach equips small businesses without requiring costly personnel-intensive engagements that can take a long time.
Having established relevance to the business, Jones said the focus then moves to "how to establish a base level of hygiene, how to respond to a cyber incident, how to manage the basics around security like security awareness, passwords and online safety".
The materials being created and presented through CarbonCore are tailored to specific industry verticals such as education, finance, manufacturing and healthcare. Having established what cybersecurity means to each sector and the current position, the tools will help move the business to their desired position.
Jones said some of that CarbonCore will deliver will be based on the NIST standards that are widely used and accepted as one of the highest standards businesses can comply with. However, in order to make those highly technical and in-depth documents accessible, Enex Carbon has invested time and resources into making them user friendly.
"We've adapted the concept of the NIST framework and construct into a series of multiple choice questions. From there we can do more assessments about security culture which are sent out to staff members of the business. At the end of it, we find out what areas of the business have potential exposure," said Jones.
Armed with that data, CarbonCore can then provide the business with tools and methods to address the issues, whether they are to do with systems or with the behaviour of staff.
"We put it into an action plan that provides a step by step guide of what to do".
The services delivered through CarbonCore will also include support during a cyber incident and a website vulnerability assessment.
All these tools will be available through an online portal and supported by booklets that can be distributed within a business. There will also be short videos explaining the basics.
"We are focused on those businesses that have absolutely nothing and getting them to the next level of maturity. Or taking them to the next step wherever they are," said Jones.
Jones said there will be level different service levels available to businesses, starting with a free service that offers some basic information through to monthly subscriptions for different sized businesses that provide regular reports, alerts about specific threats that are presented in accessible business terms and other services.