Large enterprises typically have a cybersecurity team and often a Chief Information Security Officer or CISO. In smaller companies, we face the task of doing more with less. And when it comes to cybersecurity, that’s a big challenge.
Cybersecurity & Digital Transformation
As the CIO of a mid-market manufacturing company, I am also acting as the CISO. I don’t have the budget for a dedicated cybersecurity staff, which can be frustrating. If we had a team of in-house security experts, I could focus all my energy and resources on taking advantage of new technologies that propel the company forward in the market. I could focus on creative problem-solving that helps us be even more productive and profitable. Unfortunately, there are bad actors out there. These bad actors have determined that the quickest way to make a fortune is by devising endless strategies to break into computer systems and hold the data for ransom.
So, it’s imperative that my digital transformation plans and strategy include cyber resilience as a foundational principle. I can’t afford to take a chance, hoping that criminals will overlook our company just because we aren’t a large enterprise. According to Forbes, in recent data presented to the U.S. Senate, most ransomware attacks are against companies with fewer than 1,000 employees.
It might be tempting to throw money at the problem. There are countless vendors of software, hardware, cloud-based subscriptions, and managed services who will assure you that their solution will keep you safe. But again, in small and mid-market organizations, we have a limited budget. So, we must make smart decisions about how to best invest our resources to defend the company.
In my experience, this consists of three primary steps: understand the risk, make a plan, and execute. And we must repeat these steps regularly.
1. Understand the Risk
Before hoping to protect your company, it’s vital that you have a strong understanding of what is at risk. This starts by asking a few questions about the business:
- What intellectual property do we not want to fall into the hands of criminals or competitors?
- What personal identifiable information (PII) is stored on our systems?
- Which systems are critical to keeping the business operations functioning?
In determining which data and systems are most vulnerable, we have to identify where to focus to ensure those assets are protected. In addition to understanding the business vulnerability, it’s important to understand the range of technical vulnerabilities. It can include getting an assessment from a cybersecurity specialist, which might cost several thousand dollars. Furthermore, it can also include running inexpensive scanning tools. These tools identify open ports, outdated software, and other technical vulnerabilities.
As you get started, it isn’t necessary for this to be complete or an exhaustive list. However, it is necessary to have a starting point from which you can gauge your progress. Repeating these steps on a recurring schedule, perhaps annually, you can go deeper with more detailed tests and assessments.
2. Make a Cybersecurity Plan
Once you have determined the most vulnerable information and systems, it’s time to develop a plan to mitigate the risks. In its most comprehensive form, this plan should conform to a framework such as NIST, CIS, or ISO 27002.
Take note: these frameworks are extensive and detailed, and it can take months or even years to fully implement them. Nevertheless, it’s worth looking at them to get ideas about the types of policies and controls to enforce. It can help in handling various kinds of risks.
For example, the controls might entail password policies or rules that dictate how company-owned devices can be used. They can also provide ideas for accounting controls. This can include distribution of authority to prevent one person, or single-user login, from having too much access. Finally, they include technical solutions such as endpoint protection, firewalls, SIEM (security information and event management) tools, anti-malware, and more.
Now you’re ready to determine which vendors can best provide the services, systems, or tools to protect the assets at risk.
By putting a framework in place – even if it is a subset of the extensive, published frameworks – you will have an organized way to determine which controls you are implementing. You can use this as a list of requirements for any services or software tools you implement. It also gives you a well-thought-out set of documents that you can provide to auditors, cybersecurity insurers, or potential investors.
Most importantly, these documents make it easy to demonstrate to the CFO the value of the vulnerable assets. Additionally, it can show the relatively small cost of cybersecurity in comparison to the potential costs if these assets were compromised. This results in significant monetary loss or damage to the company’s reputation.