Cybersecurity measures are expensive, right!? No, not necessarily. There is a common misconception that cybersecurity measures and solutions are complex and costly, only reserved to large corporations with their big IT budgets. This is wrong.
Even micro, small and medium-sized enterprises (MSMEs) with small IT budgets can implement effective cybersecurity measures and strategies that defend them effectively against the constantly growing number and variety of cyberthreats. However, it does take careful preparation, a structured approach and a clear framework to achieve this.
This is what our 4-part-series “Cybersecurity Prevention for Small Budgets” is all about.
In part 1 of our series, entitled “holistic strategies”, we will discuss the need for holistic strategies in cybersecurity management. To this end, we introduce the widely-adopted “ISO/IEC 27001 — Information security management” standard and its various areas that help organizations to determine the status quo of their cybersecurity management and derive a strategy for strengthening their cybersecurity management going forward. Moreover, we will discuss important steps and considerations of cybersecurity management particular for MSMEs.
We all know cyberthreats are massively on the rise. Not a week goes by without another headline about another large corporation or government entity that became the target of a carefully executed DDoS or ransomware attack.
Already in 2021, we have heard of numerous consequential and sophisticated attacks like the SolarWinds attack that allowed espionage of thousands of leading companies worldwide including Microsoft, Intel and US government organizations. In early May, a ransomware attack led to the shutdown of the biggest US pipeline for more than 24 hours.
There is much data and statistics that underline the growing threat.
What is more, the type of threats constantly change and evolve, becoming more sophisticated and targeted in nature. DDoS attacks might adjust flexibly to circumvent DDoS detection systems or help hackers understand the security posture of target organizations and institutions.
The first step to building an effective cybersecurity strategy for an MSME is to determine the status quo of the company’s existing IT/cybersecurity measures. This can be done utilizing a structured cybersecurity standard like the ISO 27001. Drafted in 2013, it is the worldwide standard guideline that lays out for organizations, how they shall establish, implement, maintain and continually improve their information security management systems.
It is a holistic framework that considers a total of 14 areas in more detail: Information Security Policies, Organisation of information security, Human resource security, Access protocol, Cryptography, Physical and environmental security, Operations security, Communications security, System acquisition, development and maintenance, supplier relationship, Information security incident management, Information security aspect of business continuity, Compliance.
In the following, we will describe each area shortly and mention questions companies should ask as part of their status-quo determination.
While answering the questions in these 14 areas may provide useful insights for IT departments on their current cybersecurity practices, the classification may still prove to be too overwhelming or complex for MSMEs to deal with. The good news is that for 2021, it is planned to revise and simplify the ISO 27001 classification into four overarching areas: organization, people, physical and technological.
Security must always be a primary selection criteria when investing into new hardware like PCs, screens, periphery and notebooks. When choosing/evaluating various suppliers, it pays to analyze their commitments to integrate security measures into their hardware. HP for example makes cybersecurity a primary concern with its hardware. Even their laptop screens reduce visibility starting at 30 degree angle to prevent people sitting next the employee from viewing and reading the screen’s content (particularly necessary when travelling).
The foundation of a secure company network is a state-of-the-art firewall. However, selecting and investing in a world-class firewall is simply the first step. Its professional and ongoing management is even more important — a particular challenge for a MSMEs which often have neither IT Security nor Firewall specialists in their ranks.
This is where so-called Firewall-as-a-Service providers [FaaS] come into play. For a monthly subscription they offer implementation, customization, management and maintenance of firewalls. Popular FaaS providers are for example Cloudflare, Palo Alto Networks, Check Point, Zscaler, Fortinet. MSMEs should opt for the price plan that satisfies their needs without being overcharged for features and capabilities outside of the company’s needs.
A starting point and preparation for MSMEs must be the following platforms that offer free resources, tools and performance of queries to determine a company’s current security posture
When selecting a strategy to implement cybersecurity measures, MSMEs should decide upon a specific framework. The most common and widely-adopted paradigm is currently the Zero Trust approach.
The Zero Trust security approach has become the dominant paradigm for IT security implementations in recent years. In a nutshell, the Zero Trust approach defines a security model framework where all users — internal and external — off a company network regularly have to be authenticated before being granted access to applications and data.
There are various approaches, frameworks and methodologies that prescribe different ways as to how best implement Zero Trust security in a company. An essential consideration in choosing an approach is which technical infrastructure (e.g. Microsoft’s Azure, Amazon AWS) the company is using/has implemented.
It is not enough to think of cybersecurity as an occasionally executed set of measures implemented when the need arises. Cyber threats are omnipresent and can strike at any time. Today, cyber security must be integrated into all IT measures of an MSME. It has to be defined in various life cycles and be based on a holistic approach like the Zero Trust paradigm. Companies must also consider getting cyberinsurance to avoid damages and prepare themselves for a worst case cyberthreat scenario.
Implementing effective cybersecurity measures doesn’t have to be expensive. It can be done on a small budget but requires a structured framework and IS analysis using standards like the ISO 27001 and a holistic zero trust approach.
Cyberthreats are omnipresent, increasing in number, intensity and variety by the day. MSMEs must make security a primary criterion when selecting hardware and software solutions. After getting informed with free information platforms and resources, IT managers must determine if competencies will be built internally or obtained from outside the organisation. Trusted advisors like FaaS providers paid with a monthly subscription can offer effective and cost-efficient cybersecurity that works.
MSMEs must consider cybersecurity an ongoing, integrated activity to be defined in various life cycles. Cost-efficient cyber security for small budgets is possible — what MSMEs cannot afford is to go without it.