The Good, The Bad and The Missing: A Narrative Review of Cyber-security Implications for Australian Small Businesses

TL;DR

This paper reviews the unique cyber-security challenges faced by Australian small businesses, highlighting gaps in research and policy, and suggests leveraging their characteristics for improved resilience.

Contribution

It identifies unaddressed challenges specific to small businesses and emphasizes the need for tailored research and policy solutions to enhance cyber-security.

Findings

Small businesses face resource and organizational challenges impacting cybersecurity.

Characteristics like agility and large size can be leveraged for better security.

Current research and policies do not adequately address small business needs.

Abstract

Small businesses (0-19 employees) are becoming attractive targets for cyber-criminals, but struggle to implement cyber-security measures that large businesses routinely deploy. There is an urgent need for effective and suitable cyber-security solutions for small businesses as they employ a significant proportion of the workforce. In this paper, we consider the small business cyber-security challenges not currently addressed by research or products, contextualised via an Australian lens. We also highlight some unique characteristics of small businesses conducive to cyber-security actions. Small business cyber-security discussions to date have been narrow in focus and lack re-usability beyond specific circumstances. Our study uses global evidence from industry, government and research communities across multiple disciplines. We explore the technical and non-technical factors negatively impacting a small business' ability to safeguard itself, such as resource constraints, organisational process maturity, and legal structures. Our research shows that some small business characteristics, such as agility, large cohort size, and piecemeal IT architecture, could allow for increased cyber-security. We conclude that there is a gap in current research in small business cyber-security. In addition, legal and policy work are needed to help small businesses become cyber-resilient.