The challenges faced by SMEs regarding their cyber security preparedness are many and varied, but the clear common underlying issue to all appears to be management of awareness and commitment, alongside managing their cyber risk, which in turn drives budget, allocation of resources and effective implementation of good cyber security practices.
ENISA has identified seven categories of challenges faced by SMEs:
- Low cybersecurity awareness of the personnel.
- Inadequate protection of critical and sensitive information.
- Lack of budget.
- Lack of ICT cybersecurity specialists.
- Lack of suitable cybersecurity guidelines specific to SMEs.
- Shadow IT, i.e. shift of work in ICT environment out of SME’s control.
- Low management support.
Cyber Awareness Training, or rather the lack of, is a favourite hobby horse of mine. It is vitally important for both managers and staff. If you don’t know what threats exist, then how can you look out for the signs, and how can you effectively target your security spend. Likewise staff have to know what to look out for, how attacks are formulated and how they are carried out. A good motivator for staff is that to put it bluntly, their jobs are on the line if the business is hit badly and loses money. Most SMEs are running businesses where cash flow is king and they simply can’t afford the kind of hits that many are experiencing.
A major misconception is that cyber security is an IT issue. Wrong, it’s a business issue. This misconception is generally arrived at because it is seen as having complex technical solutions that only the ‘techies’ fully understand. However this is not the case. Cyber security needs to be in the culture of the company, a culture that protects the business from harm. Each person must have at least a basic understanding of the issues they face and how their attitude can affect the cyber security posture of the entire organisation.
As time goes on and the company matures, the what is really needed is a transition from initial awareness to internal cyber security culture through developing an effective strategy.
In the coming weeks I’ll tackle the other 6 categories arrived at by ENISA.