Why smaller businesses struggle with cyber security
If you run a business, chances are you’ll be familiar with cyber security and understand the need to take steps to protect your business from an attack.
Cyber security should be a big concern. A successful attack has the potential to paralyse your networks and systems, killing your business.
But simply taking off-the-shelf cyber security products and IT solutions doesn’t mean your business is properly protected.
For example, good IT security will do very little to prevent you from falling victim to a ransomware attack, while failing to plan for the disruption caused in the event an attack does get through will significantly increase the damage done.
In smaller businesses, the responsibility for cyber security and implementing good technical security measures usually falls to the IT department. But some activities can be overlooked, and this is usually related to “people” and the “process”.
Ultimately, effective cyber risk management is about recognising the potential damage to the business if a serious cyber event were to occur. This includes financial, operational and reputational.
It then comes down to putting in place a cost-effective, comprehensive business-wide programme to protect the organisation and enable the business to continue to operate when a cyber event occurs.
Notice the term “when” a cyber event will occur, not “if”.
Given the rise in the volume and sophistication of cyber events, it is more likely than not that your business will be subject to an attack at some point over the coming months and years.
At CRMG, we often see smaller organisations place insufficient focus on cyber security basics, simply because they assume the IT function already has it covered.
These are some of the key areas where smaller businesses can easily and quickly make improvements to ensure they are more resilient to a cyber attack.
1 – Ensure an understanding by the Board of the degree to which the organisation is exposed to cyber threats, both malicious and accidental.
2 – “Business as usual” updates to the Board about the status of cyber risk, often through regular risk updates.
3 – Strong business-focused policies and guidelines that protect information and not just IT, and that are genuinely understood and followed by all staff.
4 – Close liaison with HR to ensure that information risk is well managed when people join, move within or leave the organisation.
5 – Effective staff awareness and training to minimise the chances that employees allow attackers in by doing things like clicking on spurious links in emails, or unwittingly exposing information, perhaps when working from home or with suppliers.
6 – Board training and simulation as to how the whole business and not just IT should respond when a cyber event occurs. At a minimum, this will involve invoking a well-prepared business continuity plan.
7 – Effective management of third-party information risk, usually through close liaison between legal, procurement and security functions.
The people behind CRMG have worked with some of the world’s largest organisations to implement effective cyber risk management and are now applying that experience to help smaller businesses operate confidently and without fearing the threat of a cyber event.
This starts with a Cyber Risk Checkup to understand the potential extent of cyber risk exposure and the business’ appetite for risk. We then assess the adequacy of existing cyber risk management and security measures and deliver recommendations for improvement.
This is done via heat maps that clearly show the current exposure to different cyber threats, accompanied by a realistic, prioritised improvement roadmap to optimise the use of current resources.
This allows smaller businesses to reduce their cyber risk exposure, improve cost-efficiency and increase business confidence. In short, it ensures they are genuinely protected.
If you would like to discuss how your business is approaching cyber security, make sure to stop by the CRMG stand (B1322) and chat with a member of the team.