In Sum - Why Cybersecurity Starts at the Top in SMEs
Stephen Harley
Technology Evangelist @ Bechtle UK | 22 Years in B2B IT, 4 at Board Level | MSP & VAR Strategy | AI & Cloud Transformation | MBA Candidate @ Warwick Business School | Driving Business Growth through Technology
For an SME, the most crucial factor influencing your organisation's cybersecurity posture is the engagement of your board of directors with cybersecurity. Cybercriminals have been particularly active this summer. Every time I come across a company that has become a victim, a variation of the following sentiment is often expressed:
"Why didn't our MSP/CIO/CISO/IT Director/IT Manager/IT Team stop this?"
While there's no one-size-fits-all answer, as each situation is unique, delving deeper often reveals a trend. Far too often, it involves overlooked recommendations from the aforementioned parties and a lack of attention to risks at the board level.
Now I’m not saying that every cyber-security solution that gets waived under your nose should be purchased. However boards should really have a formal review process for cybersecurity, aligning with framework like Cyber Essentials could guide you in making more informed decisions.
I realise that certifications and accreditations might not be the most riveting subjects for many SMEs. I too feel a sense of dread at the mere mention of the letters ISO. But as directors in the UK, we're legally bound to exercise reasonable care, skill, and diligence.
To be frank, I can't understand how, given the severe repercussions of a cyberattack, regularly discussing and comprehensively understanding the risks at the highest company level isn't a baseline requirement.
Yet, time after time, I meet diligent and highly successful individuals who either sidestep the issue or hesitate to invest even in basic precautions. For instance, I once came across a company advised to adopt MFA on four separate occasions. Despite a previously contained breach, they were genuinely perplexed when targeted again. They had invested in IT security five years ago. As threats evolved, their defences remained stagnant whilst they failed to engage with the subject.
IT and Cybersecurity are technical fields, often deterring people from diving into the subject. However, while you can delegate the technicalities to a CISO or outsource IT support to an MSP, the board of directors must retain overall responsibility.
That means the board must regularly engage in these discussions. You need mechanisms to evaluate your security strength to make informed investment decisions. Approaches like vulnerability scanning, penetration testing, compliance against a framework, or accreditation and breach and attack simulations are just a few methods.
These discussions deserve a spot on the board meeting agenda. If that necessitates bringing in an expert quarterly to provide insights and recommendations or?facilitate, then so be it.
So, what should you discuss?
1. Threat Landscape
??- Current threats faced by the industry and the business.
??- Recent cybersecurity incidents in similar industries or businesses.
??- Evolving threat vectors and tactics.
2. Current Security Posture
??- The status of the organisation's current defences, vulnerabilities, and risk exposure.
??- Results from recent security assessments or penetration tests.
3. Incident Response and Preparedness
??- Existing incident response plans and their effectiveness.
??- Recent incidents, lessons learned, and necessary changes to the response protocol.
??- Testing and drills of the response plan.
4. Employee Training and Awareness
??- Status of ongoing cybersecurity awareness programs.
??- Effectiveness of current training and areas of improvement.
5. Regulatory and Compliance
??- GDPR and any other relevant data protection regulations.
??- Updates on compliance status and upcoming regulatory changes.
领英推荐
6. Budget and Investment
??- Review of the cybersecurity budget.
??- ROI on security investments.
??- Proposals for future investments.
7. Technology and Tools
??- Efficacy of current cybersecurity tools and technologies.
??- Recommendations for updates, upgrades, or new solutions.
8. Third-Party and Supply Chain Risks
??- Assessment of vendors and third-party service providers’ cybersecurity practices.
??- Steps to mitigate risks from the supply chain.
9. Business Continuity and Disaster Recovery
??- Review of plans in case of major cybersecurity incidents.
??- Testing and drills of recovery procedures.
10. Metrics and KPIs
??- Presentation and review of cybersecurity metrics and key performance indicators.
??- Benchmarks against industry standards.
How often should you discuss it ?
1. Quarterly
??- High-level reviews of the cybersecurity posture.
??- Updates on major threats or incidents.
??- Compliance and regulatory status.
2. Annually
??- Detailed review of the cybersecurity strategy.
??- Budget discussions and investment plans.
??- Review of major incidents and lessons learned throughout the year.
??- Updates on employee training and awareness programs.
3. Ad-hoc
??- In the event of a significant cybersecurity incident or breach.
??- When there are major regulatory changes.
??- In case of significant technological changes or adoption.
Regular and structured discussions about cybersecurity will not only improve your security posture but will also create a culture where cybersecurity becomes an integral part of the decision-making process.
In Sum