One of the problems with Cyber Security in the SME world, is that it has long been considered a cost centre, something to be left to the IT company they have under contract, or worse, an afterthought for some organizations. Fortunately, with the growth of technical platforms and an economy driven by digital technologies, this perspective is changing. Security in todays economy is not only critical to success but it is an enabler and can often function as a competitive differentiator.
One of the things that H2 brings to the table is an attempt to propel security into recognition as an enabler by aligning it with business objectives, and the use of metrics to illustrate how security contributes to those objectives, in a way that SMEs have never had demonstrated to them before.
We introduce a framework to suite an individual company to match its business objectives with cyber security functions, from its policies, processes, awareness training, risk management and security architecture. We try, where possible, to mimic the larger organisations by introducing a zero trust framework, recognizing that legacy security measures no longer suffice. Of course, we also have to match that with the companies resources, in terms of manpower, skill sets and budget. H2 is also well placed to assist with those last 3 requirements. A full list of services can be found at https://www.hah2.co.uk/.
So, to business, my take on how the top 5 predictions affect SMEs.
- Supply Chain Management. Supply chains are, in many cases, already being impacted by issues cropping up as a result of BREXIT, with increased customs checks and a plethora of import/export paperwork, and that is set to get worse from 1 Jan 2022. How much worse then, if your supply chain is compromised by cyber security attacks. A number of publicly visible and impactful supply chain compromises have made headlines. Organisations have quickly realised that their business partners, vendors, managed service providers, and software can all introduce risk when not governed and managed appropriately. Even if your supply chain isn’t compromised, many SMEs sit in the supply chains of larger organisations and depend to a large extent on that business. If you are found wanting how much damage could that do to your business? Visit my blog page to read an article on supply chain security issues https://www.hah2.co.uk/news-blog/.
- Work Force. I am on record many times talking about the importance of Cyber Security awareness training for the work force. This continues to be a challenge for many. Often data breaches and other issues, are created by staff not doing anything deliberately wrong, but causing issues because they don’t know that it is an issue, simply because they haven’t been told. These things can become exacerbated through remote working, made necessary by the pandemic, but attracting some attention because it is seen as a cheaper alternative to the costs involved in office accommodation. Again visit my blog page https://www.hah2.co.uk/news-blog/ to view several blogs on this issue and take a look at our Cyber Security Awareness offering https://www.hah2.co.uk/h2-services/employee-cyber-security-training/, which we are in discussion about automating to make it easier to deliver and for organisations to fit in around their daily tasks.
- Cloud Security and Home Working. More and more SMEs are now adopting cloud systems such as MS365, AWS, Digital Ocean etc, and we at H2 are strong exponents of SMEs going down this route. But it comes with some issues which need to be mitigated. Many organisations moved to home working and migrated critical functions to the cloud, often without the relevant security measures in place. Focus must be given to securing cloud deployments and environments or risk inadvertent data exposure and potential compromise, particularly from home workers. Threats to home working can be found at https://www.hah2.co.uk/news-blog/?page=5.
- Security Tooling. Now this is often a thorny issue for many SMEs. They are, in the main, totally reliant on the IT company, often local to them, who supply their hardware and software. Now, that makes sense. If you have a relationship with a company such as this, then you can often negotiate decent pricing and feel more comfortable with the devil you know. However, these companies are what is known as resellers, ie they resell other, larger organisations hardware and software. Some are what is known as value added resellers, ie they provide some services around these products, such as installation and configuration. So what’s the downside? Well, they have deals with certain suppliers and so will always recommend those suppliers products to their customer base. They also do not employ cyber security professionals, often because they can’t afford it. They don’t undertake risk assessments and use risk management techniques, neither do they carry out a security architecture review and the majority of SMEs we go to, are using basic flat networks which come with significant issues. Of course there are exceptions to that but here at H2 we provide a service that will allow you to have the best advice a guidance as you go forward. https://www.hah2.co.uk/h2-services/managed-cyber-security-officer/.
- End Point Security. Many of the same problems exist with this, as they do with security tooling. But once again the past 24 months has seen tremendous growth in the remote workforce with many companies announcing adoption of long-term remote work. For many organizations, this means a distributed workforce, utilising devices under the organization’s control and outside of it with Bring Your Own Device (BYOD). BYOD has often been forced on SMEs who simply did not have enough laptops/desktops to provide their staff with and therefore allowed them to use their home IT for business purposes. Companies must make efforts to secure these devices, their levels of access to sensitive data, and adopt tools and practices that establish a secure remote work environment. The traditional security perimeter is dead, and legacy approaches are no longer applicable.
So all in all I’ve probably skimmed over several subjects, or omitted them altogether, but I’ve tried to focus on what’s important to SMEs without breaking the bank. I would still argue that if you could only afford one thing, then security awareness training for your staff, would top the bill. But whatever your focus, whatever your industry vertical, cyber security will be critical to your ability to evolve and grow, in the coming years. Start now, and get an understanding of the issues before they hit you in sharp focus. You can be sure that the cyber criminals out there are evolving and growing and as we are already constantly playing catch up, we can’t afford to be complacent.