The seven categories of challenges faced by SMEs, are:
- Low cybersecurity awareness of the personnel.
- Inadequate protection of critical and sensitive information.
- Lack of budget.
- Lack of ICT cybersecurity specialists.
- Lack of suitable cybersecurity guidelines specific to SMEs.
- Shadow IT, i.e. shift of work in ICT environment out of SME’s control.
- Low management support.
Over the last couple of weeks I have taken a look at the low level of cybersecurity awareness amongst the personnel working for SMEs, and the inadequate protection of critical and sensitive information and budgets. Today I’m looking at the general lack of cybersecurity specialists in the SME arena, and in fact, there would appear to be a lack of this expertise at all levels currently.
Cyber security is a specialised function, requiring specialised knowledge and experience, however it is quite common within an SME that individuals multitask and may have multiple roles assigned to them. It is also common that the IT support company that they either use or have under contract, will also be very short of that expertise, other than perhaps that associated with whatever products they support and sell, ie anti malware, firewall and the like. As a result subjects like policy and process, which may well be able to form a significant part of the company’s defence, for little or no cost, are actually ignored completely, or are inadequate and take the form more of a ‘tick in the box’.
In short, a cyber security strategy, outlining an information security management system (ISMS) adequate for a particular organisation, often falls woefully short of that which is actually required, leaving significant gaps in a companys defences.
As an SME’s business grows and changes, the people, process and technology they employ will change and the cyber threat landscape will constantly alter, which requires SMEs to ensure their efforts to manage cybersecurity should be continuous and consistent. If the company does not directly employ a person with specialised ICT knowledge (typical for non-technical SMEs), there is need to invest in external expert assistance. Cybersecurity vendors should also be required to ensure their products are secure by default and that they are fully aware of the issues to be taken into account when installing and configuring such products into a client environment. They will almost certainly argue that they fully understand these issues. My experience has been that this is not always the case.
All of the above is relevant to the problems facing SMEs today. But even once they have taken this on board and recognise that they have significant shortfalls in their defences which may, at some point in the future, turn out to be very costly, the fact remains that the expertise that is required remains very much out of their reach, simply because an experienced and well trained cyber security professional will command a remuneration package well above what an average SME can afford.
So how can they overcome this issue. The obvious answer is to outsource and to share a resource amongst many. Here at H2 we can share such a resource, allocating so many hours a month to each SME, providing advice and guidance to them and to their IT outsourcing company. Advising at every stage of growth, when adding new products, new functions, new technologies and even new people. The amount of time given being tailored to an individual requirement. We recognise that whilst many companies have issues in common, no 2 are exactly the same.
In the coming weeks I’ll tackle the other categories arrived at by ENISA, that I haven’t yet discussed.