The seven categories of challenges faced by SMEs, are:
- Low cybersecurity awareness of the personnel.
- Inadequate protection of critical and sensitive information.
- Lack of budget.
- Lack of ICT cybersecurity specialists.
- Lack of suitable cybersecurity guidelines specific to SMEs.
- Shadow IT, i.e. shift of work in ICT environment out of SME’s control.
- Low management support.
Over the last couple of weeks I have taken a look at the low level of cybersecurity awareness amongst the personnel working for SMEs, and the inadequate protection of critical and sensitive information. Today I’m looking at budgets.
During my time working for the major IT corporations it was generally argued that businesses should spend between 5 and 10% of their IT budget on security. Personally I was never sold on such a generalisation and for SMEs in particular, this simply won’t do. SME’s struggle with cash flow, low margins and limited budgets for anything, let alone what they perceive as not being part of their core business. Often ignoring that their IT systems and the information they store, are vital for the running of the business and the days when it wasn’t part of their core business, have long gone.
Cyber security preparedness entails investment from various aspects such as awareness, covered in a previous article, implementation of controls, engaging external expertise to cover gaps in their knowledge, as well as technology. Whilst many SMEs are now engaged in using various cloud solutions, they are often too small to qualify for the special offers available and have to deal with fixed cyber security SLAs, and denied the flexibility offered to larger organisations.
It was telling that whilst many SMEs engaged with new solutions in reaction to the pandemic, many of them did not invest in any additional security solutions. It is evident that many SMEs view cybersecurity as a cost rather than as an investment in their business, in spite of home SMEs admitted that a major cybersecurity incident would almost certainly result in their being a major, if not catastrophic impact on their ability to continue trading. It is therefore critical that SMEs understand better the risks to their business posed by cybersecurity threats and subsequently allocate appropriate budgets to invest in the required controls to protect their business.
So what should you be looking at? Well to start with, most SMEs only really have an IT budget in mind for maintenance, ie any maintenance and management contracts you have in place, what a rolling replacement of IT equipment might cost etc. Any additions to the IT suite will probably be figured into any project that you might be planning for the future, for instance any expansion, maybe a new product line or activity, perhaps a move to a new location.
So it remains that risk management is the best way to set any budget, allowing you to understand your risk and how to mitigate that risk cost effectively. It is also true that most SMEs don’t fully understand the risks posed by cyber criminals or how quantifying that risk is arrived at. This in turn leads to some stable door slamming, well and truly after the horse has bolted. Any retrofit of security is likely to cost considerably more than getting it right from the start.
At H2 we often hear, ‘We have no clear definition of risk’. How on earth can we manage something that we haven't defined? Fair enough. Given this, how can we really know what is meant when we talk about ‘cyber risk'? or more accurately ‘information risk’, for it is the information contained on your systems that must be protected. All information has a value which can be quantified into a monetary value, and that helps you to understand the risk to the bottom line if a loss or compromise of data occurs. We can see a clear lack of a definition as an essential aspect of risk management. The fact that organisations won’t necessarily know exactly how everyone defines ‘risk’ forces us to explain to each other what we mean. It makes us ask questions and challenge assumptions.
A good starting point is an acceptance that risk can’t simply be abolished. Risk must be recognised and then managed in some way or other, classified in some way, many choose a simple High, Medium and Low. This can be easier said than done as we all would like to abolish risk. If only that were an easy and simple option.
Simply put, of course, a definition for an individual organisation may simply be this question for each business asset or process, ‘what would the risk to the business be if this process/asset was corrupted/denied/compromised or lost’? This gives us 4 risks, data corruption, denial of access, lost and compromised data/hardware/software etc, and it allows us to immediately assign a level to that risk of high, medium or low, depending upon the perceived hit on the bottom line.
Don't despair, you can still protect yourself from many cyber attacks by following good risk management techniques that define what controls you need to put in place, be they procedural or technical in nature.
It’s worth repeating from an earlier article that H2 has developed an industry leading Triple A (Affordable, Appropriate and Accreditable) risk assessment process to remedy this, and to ensure that your information is effectively protected at the right cost. This is called the Information Risk Assessment and Management (IRAM) process.
In the coming weeks I’ll tackle the other 4 categories arrived at by ENISA, that I haven’t yet discussed.