The Good, The Bad and The Missing: A Narrative Review of Cyber-security Implications for Australian Small Businesses

Small businesses (0-19 employees) are becoming attractive targets for cyber-criminals, but struggle to implement cyber-security measures that large businesses routinely deploy. There is an urgent need for effective and suitable cyber-security solutions for small businesses as they employ a significant proportion of the workforce. In this paper, we consider the small business cyber-security challenges not currently addressed by research or products, contextualised via an Australian lens. We also highlight some unique characteristics of small businesses conducive to cyber-security actions. Small business cyber-security discussions to date have been narrow in focus and lack re-usability beyond specific circumstances. Our study uses global evidence from industry, government and research communities across multiple disciplines. We explore the technical and non-technical factors negatively impacting a small business' ability to safeguard itself, such as resource constraints, organisational process maturity, and legal structures. Our research shows that some small business characteristics, such as agility, large cohort size, and piecemeal IT architecture, could allow for increased cyber-security. We conclude that there is a gap in current research in small business cyber-security. In addition, legal and policy work are needed to help small businesses become cyber-resilient.