Cybersecurity Risk Management Roadmap For SMEs
Article by Julien Bonnay, Partner, Jayadevan Vijayakrishnan, Managing Principal, Alex Donovan, Senior Consultant, CAPCO
Cybersecurity threats for small-to-medium-sized businesses (SMBs/SMEs) are real. SMEs are just as likely as larger businesses to be attacked. Yet, many are much less prepared to detect and endure an attack. There is a path forward to significantly improve the risk posture of an organization with good cyber hygiene, a strategic roadmap, and a cybersecurity insurance policy.
SMEs face a specific set of challenges and limiting factors when it comes to improving their cybersecurity posture. Their smaller size often makes it difficult to find cybersecurity champions and define a right-sized cybersecurity governance model. Most SMEs do not have a dedicated chief information security officer (CISO) or information security organization to champion cybersecurity efforts. In fact, 35% of SMEs have no one function that determines information security priorities, and 43% of SMEs have no cybersecurity defense plan in place.
Small in-house and outsourced IT departments typically have limited expertise on cyber hygiene best practices and cybersecurity program management, and limited capacity for new projects or tools. These IT teams may also have initiatives underway to move infrastructure to the cloud and, with limited cloud security expertise, they are unknowingly opening the door to an entirely new arena for hackers to play in with their advanced cybercriminal tools.
4 APPROACHES FOR IMPROVING YOUR CYBERSECURITY RISK POSTURE
Keep in mind that your approach to cybersecurity should be tailored to the size, industry, location, and type of operations specific to your organization, especially as it relates to newly adopted remote working models or investments in cloud-based technologies. To protect your SMB, follow these four steps to start building a cybersecurity strategy to withstand inevitable cyberattacks such as phishing, business email compromise (BEC), malware, and ransomware.
- Take stock of your current cybersecurity capabilities and identify any gaps in baseline security requirements with a cybersecurity assessment. Industry-standard framework, such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), is a quick and straightforward starting point.
- Conduct a cyber hygiene review to first focus your cybersecurity programs on key fundamental requirements, before dedicating time and resources to more sophisticated technologies and tools that may not be the right fit to combat the most relevant risks. These baseline requirements should be implemented by all organizations regardless of size or industry to protect against the most common cyber threats using common sense solutions.
Start implementing these fundamental cyber hygiene practices:
- Define and ratify a formal cybersecurity policy; if you process or store personal or sensitive
- Password complexity and rotation
- Multi-factor authentication
- Data classification and encryption
- Identity and access management
- Remote access and work-from-home best practices
- Establish required training and awareness for all employees. Top root causes of data breaches are
often due to negligent employees or careless third-party partners.3 4 Focus on:
- Strong password requirements and rotation
- Phishing and BEC awareness
- Appropriate use policies
- Other cyber hygiene best practices (e.g., clean desk policy, data classification and protection, reporting mechanisms)
Take regular backups of critical data and store backups either offsite or in the cloud.
- Test restoration of backups
- Consider different scanning or health check solutions to ensure malware does not propagate to backups in the event of an attack
- Create a strategic roadmap. Once a baseline of best practices has been reviewed and implemented, strategic and longer-term planning can be organized based on the current risk posture and risk appetite. Compose your roadmap with a series of project cards organized by NIST CSF function and prioritized for the short-term (6-12 months) and long-term (12-24 months).
Short-term initiatives may include:
- Define a whitelist of approved software (e.g., anti-virus software) and standardize corporate tools used across the organization (e.g., Dropbox, OneDrive)
- Define a checklist for third-party security reviews during the pre-contract phase of vendor negotiations (e.g., roles and responsibilities, data security)
- Document formal recovery plans for critical assets, including recovery time, service-level agreements (SLAs), processes and requirements
Long-term initiatives may include:
- Implement an automated scanning solution to reconcile and update asset inventory for network devices and installed software
- Implement a formal data classification solution for data and email to keep data privacy top of mind
- Implement a security information and event management (SIEM) tool designed for SMEs to aggregate and analyze data across platforms, identifying and mitigating threats before they cause damage
- Purchase a cybersecurity insurance policy. This fast- growing sector of the insurance industry gives many SMEs peace of mind that they are covered when a cybersecurity incident occurs. Be aware that insurance carriers expect baseline security best practices and require a solid understanding of your cybersecurity policies and how you protect your assets to determine coverage details and premiums. The output of your cybersecurity assessment, as outlined in step one, can be used to purchase a cybersecurity insurance policy.
Premiums can vary from a few hundred thousand dollars to $5 million, with the cost of based on:
- Industry and type of non-public information (NPI) / personally identifiable information (PII) stored
- Who has access to your systems and data
- Network security requirements and policies
Conclusion: The Best Defense Is a Good Offense
Make it a priority to protect your data for the benefit of your employees and customers and the long-term health of your business. Hackers have no prejudice. These criminals will invade your organization, regardless of its size, prominence, or location, with their sophisticated tools. SMEs are under attack as never before, a trend the pandemic has only accelerated with newly adopted remote work.
It’s no longer an option for SMEs to simply adopt a defensive plan to ward off an anticipated attack. SMEs need to go on the offense by taking stock of their current cybersecurity capabilities, conducting a cyber hygiene review, creating a strategic road map, and investing in a cybersecurity insurance policy. One door left unlocked is enough to result in significant financial losses, many unhappy customers, and headlines that no CEO or investor wants to read.