Who is it for?
L? ENISA, the cybersecurity body of the European Union, published on 28 June 2021 a field research to understand the main needs and criticalities of small and medium-sized companies (SMEs) in this pandemic period, in order to give indications on the measures to be adopted and the elements to pay particular attention to.
More than 85% of companies surveyed for the research stated that the cybersecurity problems they suffered would have a serious negative impact on their business, while the 57% stated that they could most likely close as a result of such serious incidents.
[...] is rampant in SMEs the false assurance that the security controls included in the IT software and services they have purchased will suffice and that no further security checks will be required on their part, unless required by law.
The challenges that emerge for SMEs are the following:
- poor awareness of IT security among staff;
- inadequate protection of? critical? information;
- lack of adequate budget;
- lack of specialists or adequate skills in cybersecurity;
- lack of adequate guidelines on cybersecurity specific to SMEs;
References:
CyberSecurity360 - Security measures for SMEs: the new ENISA recommendations
ENISA - Phishing most common Cyber Incident faced by SMEs
The dramatic increase in ransomware attacks such as WannaCry and Petya / NotPetya means that no one is immune to the attacks. Additionally, the growing connection of digital business ecosystems expands and extends business risks, so while your organization may not be a target, your partners may be.
This could be the case if your organization had no customers, employees, contractors, intellectual property, business processes, and shareholders or stakeholders, but that would also mean there is no business.
In theory, this tactical approach could work in the short term, but as a long term approach, there will be too much emphasis on tools and tactics and not enough on people and processes. Engineers, architects and administrators have specific skills and responsibilities for managing technical results.
In practice, a dedicated and focused role is needed to guide the Information Security program and ensure over time the transition to a more strategic approach, which must be understood and supported by the Company Management.
Not being regulated does not oblige an organization to include the position of CISO in the workforce: TRUE! However, that doesn't mean it doesn't have risk to manage as part of achieving its business goals.
Having an Information Security program leader with the governance and strategic vision it brings, improves security and defensibility in case of incidents.