The Challenge

Small businesses often see information security as too difficult and that it requires too many resources to do. The growing number and sophistication level of security issues has become a top concern for many SMB organisations and many leaders see their responsibilities through a “Framework” or “Audit” lens, with the National Institute of Standards and Technology’s (NIST) being the most popular. The limitations of this “checkbox mentality” can create a skewed approach to cybersecurity spend, and it can take away resources from areas where you need it the most.

Information security managers in SMBs face no shortage of challenges. Budget restrictions, security talent gaps, the ever-expanding attack surface, the pace of digital transformation, complex cloud security environments, and rigorous and punitive compliance regulations, are just the tip of the iceberg.

Until recently, cyber-attacks, data breaches, and DDoS were considered problems for large businesses and enterprises. On the surface, this makes sense because the larger organisations have the most to lose. Cyber criminals also know that these organisations have stronger and more mature defences and infiltrating them has become more challenging. So now we are seeing a wider move by cyber criminals looking for smaller and weaker targets.

Cyber threats posed to SMBs are real — and growing. According to a 2020 Verizon Data Breach Report, there were 407 incidents with 221 confirmed data disclosures, in small businesses with less than 1000 employees. Furthermore, a recent study by Cisco found that 53% of SMBs had experienced a breach.

The need for Business Context

It is a widely held truth among seasoned information security managers that there is no easy, one-time solution to information security; it takes time and careful consideration. However, when viewed as part of the business’ strategy and regular processes, information security does not have to be intimidating. Gartner’s analysis of Equifax CEOs congressional testimony following the Equifax hack in 2017, showed a disconnect between executive understanding and levels of cybersecurity capabilities in the organisation; and these disconnects should create a critical need to address cybersecurity in a business context and as a business decision.

To create a business context around cybersecurity, Information Security leaders must first understand their organisation’s business context. This includes budgets and costs, desired business outcomes and supporting business processes, revenue sources, and customers, as these all have technology dependencies. These dependencies create a need for investment to protect the technologies that support their business outcomes. Understanding an organisation’s most important business outcomes, its most important processes, and its most important technology outcomes is the first step in putting a business context around cybersecurity for small to medium businesses.

Our Approach

We know that organisations struggle to determine the right amount of cybersecurity protection and investment. Our approach here has been to shift to measuring protection levels, not just how much protection is needed to guide investment. Typical security audits focus on the existence of controls; we understand that many audit questions are related to the existence of those controls, not to their performance or levels of protection.

CTs approach has been to deliver outcomes for technology risk as an abstraction of tools, people, and processes, linked to devices, applications, data networks and users and to reflect how well an organization is protected, not how it is protected.

CT’s approach to selecting the right controls is that they need to be:

  • Compatible – They should be able to co-exist and integrate without any issues or conflict.
  • Appropriate – They need to be in the right place and fit for purpose to deliver the core protections that are required.
  • Sustainable – The controls need to be efficiently managed and maintained over a period and support the right business outcomes.
  • Productive – The controls should deliver the availability and security outcomes for the business, without impacting business productivity and efficiency.

    The CT assessment model achieves this as it further links the existence or nonexistence of controls to “Risk likelihood and impact”. It can be leveraged to enable more effective governance over cybersecurity priorities and investments and create the necessary outcomes to have meaningful business-focused conversations with executives and boards.

    No matter the size of your business, we can implement enterprise-strength security tools to mitigate threats and protect your systems and data. Visit our Managed Security Services page to learn more about our approach.