Five steps to cyber resilience
– a cyber resilience plan for every SME and mid-market sized organization
Cyber advice is easy to come by for every business, but it’s harder to decipher what aspects of that advice are relevant for you as an SME or mid-market sized company.
That’s why we have developed this five-part special series to offer much more than a list of arbitrary tips that might or might not be relevant.
Over the next five blog posts, we will look at the bigger picture for your organisation and detail key actions rooted in the National Institute of Standards and Technology’s (NIST) cyber security framework.
By working through these key areas, we believe that by drawing on both our own experience in helping businesses build their own cyber resilience and the expertise of some of the leading cyber security practitioners, we can help you work towards achieving cyber resilience for your business.
The five areas of focus for Five Steps to cyber resilience for SME’s and mid-markets are:
- Identify – Understand your environment and overall cyber risk
- Protect– Implement appropriate safeguards to contain a cyber security event
- Detect– Maintain visibility into your network so you can detect intrusions
- Respond – Assume a breach will happen and have a plan in place
- Recover – Business interruption is the greatest risk; access experts to recover quickly
Step 1: Identify | Understand your environment and overall cyber risk
In the first of our five-part series – Five steps to cyber resilience – we look at why identifying your assets and understanding your overall cyber risk is the crucial first step in building a cyber resilience plan for every SME and mid-market sized organization.
‘Fail to prepare, prepare to fail’” goes the adage and, when it comes to cyber, it’s clear that many businesses – despite increasingly relying on their IT systems and online presence for business as usual – are at risk from failing in how they manage their response to the cyber threat.
Last year alone, 53% of mid-market organizations in 26 countries experienced a cyber-breach, with the financial hit costing anywhere from $500,000 – $2.5 million per breach1; enough to put a mid-sized business permanently out of operation.
Now very much a business wide risk rather than confined to the IT department, the sum of all cyber breaches to UK mid-market businesses last year alone reached a staggering £30 billion2 – firmly placing cybersecurity risk as one of the top risks facing business. Aon’s 2019 Global Risk Management Survey lists cyber at sixth place in the top ten risks globally with the North America region listing it as the number one risk3.
We know we’re vulnerable but…
Despite the growing costs, the majority are still under-prepared for the threat that cyber poses to every aspect of their business. Companies realize they are vulnerable but lack visibility regarding their level of preparedness and have not taken important steps in systematically identifying risks across their various security domains which range from security management practices, to access control systems, and physical security.
Key obstacles including lack of awareness and understanding, resourcing, budget constraints, system complexities, lack of security personnel and expertise are just a few of the many reasons that hinder the ability of SME and mid-market companies to develop cyber resilience. And, they are also the same attributes that make them increasingly attractive and relatively easy targets for cyber criminals.
Start with identifying where your key risks lie
There are simple measures however that can drastically improve a mid-market organization’s cyber resilience and put them in a much stronger position. The first stage – and the focus of this blog post – is around preparation, which begins with having clear visibility into your organization’s overall cyber risk posture.
In our experience, SME and mid-market organizations are significantly less likely than larger ones to conduct cyber health checks and many have never completed a cyber-risk assessment. The result is an unclear view of where their critical risks lie and where to begin when it comes to cyber security. Put simply, would you buy a property without first conducting a detailed building survey (or inspection)? Probably not as you need visibility into its overall condition and an understanding of the risks and repairs required so you can prioritize and invest your resources accordingly. The same is true for managing your cyber risk.
Organizations must know and understand their greatest points of vulnerability, so they can prioritize areas of critical concern and develop a strategic approach to their cyber resilience strategy.
Create a cyber security foundation and baseline
Cyber security can seem daunting for even the largest of organizations, let alone ones with limited resources. With so many different areas contributing to cyber risk from data, network, application, physical, third parties, to name a few – many SME and mid-market organizations and security professionals are unsure where to begin.
It is why a thorough and comprehensive cyber risk assessment can help your organization to identify and analyze all areas of risk, helping to provide clear visibility into your overall cyber risk posture. When selecting a cyber risk assessment, remember that not all assessments are created equal and can range from basic questionnaires to comprehensive cyber risk assessments based on NIST (National Institute of Standards and Technology) risk assessment recommendations.
This type of assessment will instigate collaboration amongst key stakeholders in your organization and properly assess the critical security domains which make up your cyber risk. The result being a strategic blue print to get you started with building your cyber resilience.
Identify ‘quick wins’ and focus your resources
You cannot tackle everything at once, nor should you, but understanding your cyber risk posture in depth means you can identify and prioritize your critical risk areas and focus your resources.
A comprehensive cyber risk assessment will help you to both identify key enablers for improvement and quick wins that should receive immediate focus to enhance the current level of security performance, as well as longer-term remediation strategies to help you cultivate a strategic, data-driven risk management strategy.
Strategic backing for your security strategy
Many businesses are finding their budget increasingly stretched and can struggle to secure the required IT resources from boards and executives. A key weakness often stems from the perceived lack of risk, in comparison to other business needs or simple resource constraints,
A cyber risk assessment can help senior leadership understand the holistic risks that cyber poses to the business in a language they understand. It can also serve as the foundation for helping to guide your organization to build a long-term security strategy and help focus your resources on the areas that matter most.
Align security functions across your organisation
Another key issue for many SME and mid-market organizations is a lack of ownership for the IT security functions, which are often dispersed throughout the organization with minimal collaboration. When cyber risk touches every aspect of an organization, this can significantly hinder a business’s ability to develop a coherent cyber strategy.
A comprehensive view of your cyber posture creates the framework for risk management, IT, legal and finance teams to work together to solve an emerging, complicated risk. And can serve as ‘single source of truth’ for discussing your security risk strategy, strengthening collaboration, and improving alignment.
In our next post, we will cover the “Protect” function helping you to understand:
- How to get started in protecting your business from cyber threats?
- What are the key requirements/areas to consider to help keep your business safe?
- What are some of the vital safeguards that should be considered?
CyQu (Cyber Quotient Evaluation) from Aon is an award-winning cyber risk assessment platform. Learn more.
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.
- https://www.cisco.com/c/dam/en/us/products/collateral/security/small-mighty-threat.pdf / citing Cisco Cybersecurity Special Report
- https://www.cisomag.com/uk-mid-market-businesses-lose-30-billion-to-cyber-attacks/ citing Grant Thornton Cyber Security – the Board Report