43% of cyberattacks are targeted at small businesses, and only 14% are prepared to protect themselves. No matter how small, businesses should consciously apply cyber security measures. But oftentimes, small businesses lack the resources for dedicated cyber security staff or security expertise.
We understand the depth of the problem, so we launched our Expert Roundup Series to offer you original and thought-provoking insights directly from cyber security practitioners. In this latest blog, we spoke with four experts on small businesses’ major steps to build the first line of security. Discover their valuable insights below.
Table of Contents
Carlos Arglebe, Head of Cybersecurity at Siemens Healthineers
The first line of security is the people. Their actions determine the protection level. What they do and how they do it makes a big difference. We like to see people as our immune system in digitalization. In addition, we need to create an environment of trust and learning. That is easily said, as very often in security incidents we quickly see fingers being pointed and identify the guilty ones. People want to do the right thing. Learning, appreciation, reward, and development are important to have them engaged as the first line.
Creating a risk framework that considers the nature of the business, the supply chain, customers, and the market requirements are essential as it is the compass needle for all in the company. This way they can make the right decisions and support the business strategy.
As a third step, I am a big fan of transparency. A meaningful reporting system that gives transparency to the most critical risk areas. What you cannot measure you cannot improve, right? So, start measuring the basic hygiene factors in your organization, starting with assets, patch level, exceptions, training, etc. There are many great examples out there. Translating them into your organization, regardless of the size is important. Embracing the fact that cybersecurity is not an IT topic only, but instead, a strategic priority that requires all to contribute creates a solid first line of security.
Christophe Foulon, Chief Information Security Officer
The most important steps for small business to build the first line of security is being aware of the shared responsibility model with cloud service providers and understanding who is responsible for the safety and security of the different layers of the cloud services, and not just assuming that the cloud provider does it all. The safety-first approach requires that to be engrained in the organization’s culture.
Additionally, I would recommend that small businesses invest in the training for the business users of applications and developers and security staff so that everyone understands their shared responsibility from the users to the infrastructure.
Stefan Radushev, Cyber Security Consultant
SMEs realize how important it is to invest in cyber security. That is the first time they have implemented such measures for many of them. The good news is that there are already numerous good practices, and case studies that they can follow, and many cyber security experts who have worked with such organizations and know their needs and goals in general.
I would say that the crucial steps for each such organization are to:
- Train their staff and increase the cyber awareness of the employees;
- Adopt information security management procedures – ISO 27001 is a good idea;
- Using basic protection measures like firewalls, VPNs, anti-virus, and browser extensions that detect malware;
- Data backups and a strong password protection policy are a must;
- Proper Vulnerability and Patching management processes to minimize security risks;
- Securing the network infrastructure is essential;
- Work with reliable 3rd party stakeholders that take cyber security seriously.
I would say those are some of the universal best practices I can recommend.
Andreas Nolte, Head of Cyber Security at Arvato Systems
My advice is to first make sure, that business is conscious of itself – what are the core business processes, who is participating in these processes, how are they depending on technology, is the company able, to achieve the necessary maturity running these processes, skills, and technology? If these fundamental questions are not answered fully and honestly, investments will more than likely not be on target.
Consequently, the complexity of running technology should be reduced to a minimum by leveraging SaaS services where feasible and concentrating its own efforts on the remaining core processes and the technology and people supporting that. For security products, the main point is to ensure, that the alerts they produce are being looked at and a response is happening. Especially for smaller businesses, this capability realistically should be outsourced.
Global Cyber Conference: a bridge between industry players and leading cyber security experts
With cyber security incidents on the rise in their sophistication, all stakeholders of the ecosystem need to work jointly to find ways to secure information systems and improve resilience and deterrence.
The Global Cyber Conference taking place in Zurich next September is a 2-day premium event focusing on cyber security and data privacy. At the conference, international security expert speakers will share their knowledge and best practices to help you advance your cyber security efforts.
You can see our agenda highlights here. You can also book your Early Bird ticket today to save CHF 500 off. Should you have specific questions, feel free to email us at email@example.com, and we’d be glad to assist you.