Tips for leaders of small/midsize enterprises on cybersecurity for their organizations.
The last four years have forced small and midsize enterprises to adapt and execute a technology transformation roadmap so their businesses can survive, operate, and thrive in this new digital economy.
Gartner states, “Among board directors, 64% say their organization is trying to significantly alter its economic architecture to emphasize digital (revenues, margins, productivity, etc.). At the same time, 88% say they recognize cybersecurity is a risk to the business.”
The overarching question for most technology leaders of small and midsize organizations is how to address the growing cybersecurity threat to their businesses. With smaller security budgets and fewer IT resources to manage risk, what will it take to be highly effective in protecting against threats? This raises a few other interesting questions, including:
What is cybersecurity in today’s world?
What are the most common reasons for cybersecurity failure in small/midsize organizations?
What are the key ideas to focus on to manage today’s cybersecurity threats effectively?
What metrics do you need to measure cybersecurity in your organization?
These questions cannot be answered in a five-minute blog, but I will highlight key ideas. Let’s start by answering the most fundamental question what does cybersecurity mean in today’s world?
According to the industry definition (Source: Wikipedia), cybersecurity is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.
Organizations have become far more vulnerable to cyber threats because digital information and technology are now heavily integrated into daily work. But the attacks targeting information and critical infrastructure are also becoming far more sophisticated. Cyber risk incidents can have operational, financial, reputational, and strategic consequences for an organization, all of which come at significant costs. This has made existing measures less effective, meaning that most organizations need to up their cybersecurity game. This brings us to the second question. What are the most common reasons for cybersecurity failure in small/midsize organizations?
In most small/midsize organizations, cybersecurity fails because of inadequate controls. No organization is 100% secure, and organizations cannot entirely control threats or bad actors. Organizations can only manage priorities and investments in security readiness.
This brings us to our third critical question. What are the key areas to focus on to manage today’s cybersecurity threats? To decide where, when, and how to invest in cyber defense, benchmark your security capabilities, including people, processes, and technology. Identify gaps to fill and priorities to target. The following are the three critical areas to focus on.
Cybersecurity is interconnected with many other forms of enterprise risk, and the threats and technologies are evolving quickly. Cybersecurity is a business risk, and accountability for cybersecurity still falls mainly on the shoulders of IT leaders. Organizations where multiple stakeholders work together to make business decisions that affect enterprise security and share responsibility, accountability, and governance, have a higher success rate.
Technical aspects of cybersecurity defense consist of applying controls on network and perimeter, endpoints, application, and data and investing in Identity and Access Management (IAM) tools and zero trust architecture.
The third and most crucial aspect of cybersecurity defense is cultivating a culture of awareness and secure behaviors among employees by providing them with continuous mandatory training to defend against all kinds of attacks, especially socially engineered attacks.
The last critical question is what metrics you should use to prove your cybersecurity program is credible and defensible. Your basic control metrics related to cybersecurity should include consistency and adequacy for the line of the business over time; they should be moderate and, most importantly, produce the desired intended results.