Security on a Shoestring
As larger organisations bolster their cybersecurity, cybercriminals are being opportunistic and moving on to smaller organisations. For cybercriminals, it is simply a numbers game. The more victims they can get, the more money they can make. Unfortunately, due to resourcing constraints and other factors, micro, small and medium enterprises (MSME) and emerging businesses may lag behind in their security investments and as a result, may be seen a low hanging fruit for cybercriminals.
Having said this, there are a number of things that MSMEs and emerging businesses can do to help improve their security posture and keep cybercriminals at bay. Let us look at some of the constraints that apply to these businesses when it comes to security investments and what they could do to help improve their cybersecurity position.
Let us start by discussing some of the constraints that apply to MSMEs and emerging businesses specifically, that inhibit their ability to fully invest in cybersecurity initiatives. This will help give us the context necessary to understand why the investment is perhaps not in line with their risk profile:
Funding: The first issue comes down to funding. Smaller organisations generally have limited funds to invest in their activities, as they are likely to be early in their business lifecycle. Most funds tend to be dedicated to growth activities and cybersecurity investments are far for this.
Expertise: MSMEs and emerging businesses may struggle to fund the talent necessary to manage cybersecurity internally. As a result, this usually gets outsourced or in some cases not managed well. If the outsourced provider is not addressing the client’s cybersecurity needs as necessary, that creates challenges too.
Prioritisation: Cyber security almost always gets prioritised below other core business activities. As a result, it doesn’t get the attention it may require.
Having discussed some of the constraints applicable to MSMEs and emerging businesses that limit their cyber security investments, let us look at what MSMEs can do to change this.
Focus: The first thing that these businesses need to do is focus their cyber security investments on their key business drivers and activities. They must view cyber security as a business enabler and not a burden and ensure that they are conducting business in a cyber-safe manner. If an MSMEs and emerging businesses was to suffer a cyber security incident, it can be very costly to recover and regain any lost customers. If the cyber incident was significant enough, it may affect their very survival. So, it pays to understand and invest in ensuring how they can operate in a cyber-safe manner
Risk management: Undertaking any business venture requires adequate risk management to ensure the business’s survival. Examples include financial risk management, legal risk management, etc. Cyber security risk management is no different. MSMEs and emerging businesses need to understand the risk profile and exposure of their organisation and invest accordingly. The size of the organisation does not necessarily dictate its risk profile. A small military contractor will have a larger risk profile than a large charity and cyber security investments must stay in step
Know thy enemy: It is important for these businesses to know who is attacking them and how. And this does not need to be sophisticated. Larger organisations invest in threat intelligence. Smaller organisations can simply do their own research and understand this. Phishing and Business Email Compromise are big issues impacting businesses now. It is hence important to understand what these are and ask if they are protected.
Before we start looking at controls that smaller businesses can put into place, we must understand the key control categories that drive this. Controls within a cyber-security context generally fall into four categories described below:
Predict: Systems, tools, policies and procedures that help detect vulnerabilities in systems and predict potential avenues of attack.
Prevent: Systems, tools, policies and procedures that prevent threats affecting organisational systems. An example would be the corporate firewall.
Detect: Systems, tools, policies and procedures that give you the ability to detect threats that may be affecting a company’s IT systems. An example here would be an Intrusion Detection System.
Respond: Systems, tools, policies and procedures that allow organisations to respond to threats and contain / eradicate them. A policy example would be the corporate Incident Response Plan and associated tools such as a Security Information and Event Management (SIEM) system.
As with anything, the 80/20 rule applies to cyber security as well. 20% effort can mitigate 80% of the risks if you know what to focus on. I have tried to outline some of these below:
Threat Intelligence: As discussed earlier, it is important to do basic research and find out what and how cyber criminals are targeting MSMEs and emerging businesses. The next step is to analyse if they have all the right security measures in place as outlined below.
User Awareness and Cultural Change: The biggest security assets for any organisation is their staff. It is important to ensure that they understand cyber security basics and can pick up cyber security threats such as a dodgy looking email or request for an immediate payment of an invoice that doesn’t quite look right!
Risk Analysis: It is important for MSMEs and emerging businesses to understand the risk posture based on their business activities and ensure they are at least doing the following:
Patching / vulnerability analysis – Applying security patches regularly to there IT equipment.
Network security including wireless – Ensuring their network is set up securely and that their wireless access points don’t allow just anyone to join their network!
Security detection and response – For larger organisations, ensuring they have the ability to detect and respond to security incidents as its almost a case of not if, but when.
End-point security – Ensuring their laptops, mobile devices, tablets, etc. have the relevant security tools in place.
Email and web filtering – Ensuring their email and web traffic are being filtered by a security tool and ‘nasties’ are being removed.
Cloud security – If they are using cloud (and most MSMEs and emerging businesses do, due to cost reasons) ensuring their cloud provider has basic security controls built in such as patching, strong user authentication, etc.
Anti-phishing training – Training their user base to spot and reject phishing emails. This will go a long way towards protecting against the phishing threat.
Third party security assessments – Where they are using third parties, ensuring that they have these basic security controls in place so that they do not become a backdoor into their organisation
Backup – Ensuring regular backup of all their data regularly and ensuring the backups are not on the same network as their original data. This will help recover in the case of a ransomware attack
Password management and 2FA – Ensuring strong passwords everywhere and as far as possible, using two-factor authentication that requires a password and usually a number sequence similar to what we see with internet banking.
If MSMEs and emerging organisations had to put together a 6-month plan towards better cybersecurity, it would look like this:
1 Month
Understand their business priorities and risk – protect the important
Activate the human firewall – educate their users
Understand who is attacking them and how, and how vulnerable they are.
3 months
Based on their priorities, improve their defences and address the threats
Get some visibility into their environment – know if they are under attack and know how to respond.
6 months
Check and act.
In essence, MSMEs and emerging businesses have no choice but to focus on cybersecurity. They need to understand that security is about business outcomes and risk management and invest in understanding who is attacking and how, and bolster their defences accordingly. Given the limited resources at their disposal, they should focus on the 80/20 rule. By prioritising their cybersecurity investments based on data, they can enhance their cybersecurity posture effectively.
_20241128134030_original_image_35.webp)
_20241128130031_original_image_20.webp)
