In my role as a security consultant, I often think about how small and medium-sized businesses can approach security. Sure, there are plenty of frameworks from various governmental and non-governmental organizations. There is a ton of literature, countless excellent websites that can guide small, medium, and large companies. However, most information packages share common traits: Firstly, they speak in “security jargon” and are often written by security experts for security experts. They don’t speak the language of those tasked with improving their company’s security. Secondly, much of it is too complex for beginners.

Recently, I heard from a small craft business: “Frank, we already have those annoying long passwords, virus scanners, and there’s nothing to steal from us.” This made me reflect on other statements I’ve encountered, which I’d like to share with you:

  • “For security, I hire experts when I need them.”
  • “We are not a worthwhile target.”
  • “Our IT service provider handles our security.”
  • “We don’t have our own servers; we outsource everything.”
  • “We have good developers and admins. They take care of it.”
  • “All our data is in the cloud, which is secure.”
  • “We bought the best firewall on the market.”
  • “We hired a security guy who handles everything.”
  • “We have Windows Update enabled on every computer.”
  • “Of course, our data is encrypted.”
  • “Every PC has a virus scanner.”
  • “Our software supplier has a vested interest in delivering secure software. We don’t need to do anything else.”
  • “We don’t store credit card information.”
  • “Our spam filter is well-configured.”
  • “Our offices are locked up at night.”
  • “We have a backup.”
  • “The boss uses her personal devices.”
  • “We’ve been working with this supplier for over 15 years. Nothing has ever happened.”

I bet you chuckled, but remember, these quotes come from experts in their fields, successful businesspeople, diligent administrators, skilled software developers, and competent craftsmen. They are not, and do not need to be, security experts. It is our job to help them in their mission and make their successful business more robust.

To help you achieve this, here are some tips:

Tip 1: Raise Awareness of the Threat Landscape

Statements like “We are not a worthwhile target” or “There’s nothing to steal from us” reflect a misunderstanding of the threat landscape. Every organization, regardless of size or industry, can be targeted by cyberattacks. Many ransomware attacks are opportunistic, targeting easily compromised systems regardless of their perceived value. A security incident can have severe impacts on an organization’s reputation and customer trust, whether or not it is considered a “worthwhile target.” Security incidents can incur significant costs for damage control, recovery, and potential fines. For small and medium-sized businesses, cyberattacks can pose an existential threat.

Tip 2: Highlight Responsibility for IT Security

The statement “Our IT service provider handles our security” poses significant risks if the company is not actively involved in shaping and overseeing its security strategy. A collaborative approach, where both the company and the IT service provider share responsibility, is crucial for an effective security infrastructure. The company must ensure that security policies are adhered to and actively monitor the measures in place. Without internal security expertise, vulnerabilities may not be identified and addressed promptly. Communication failures can lead to ineffective incident management and greater damage. The service provider may have processes that do not fully align with the company’s needs, leading to inconsistencies in the security strategy. Moreover, an attack on the service provider can compromise the company’s data and systems. Ultimately, the company remains accountable for complying with legal requirements and liable for breaches, even if security tasks are outsourced.

Tip 3: Identify the Crown Jewels

Identifying a company’s “crown jewels” involves determining and protecting the most critical data, systems, machinery, and processes. This includes listing and evaluating all physical and digital assets in terms of their importance to operations, revenue, and legal compliance. A risk assessment helps identify threats and vulnerabilities. Special attention should be given to sensitive data such as personal information, health records, intellectual property, and financial data. The mission “Protect the Crown Jewels” ensures that the most valuable resources are safeguarded. This approach helps allocate limited resources effectively, minimize damage from attacks, meet legal requirements, and ensure business continuity and resilience against attacks.

Tip 4: Understand Your Position in the Supply Chain

A long-term relationship with a supplier with no previous security incidents can lead to dangerous complacency and a lack of understanding of current security threats. Just because no incidents have occurred in the past does not mean future risks are low. The threat landscape constantly evolves, and new attack vectors and vulnerabilities can emerge at any time. Technological advancements and changes in business processes can also introduce new risks. Regular security assessments, audits, and updates to security protocols are essential in long-term supplier relationships. An incident at a supplier can significantly impact your company, including data loss, business interruptions, and reputational damage. Additionally, your position in the supply chain can further increase risk. A security incident can cascade to other companies in the supply chain, causing widespread disruptions. Continuously reviewing and adapting security measures is crucial. This is important not only from a regulatory perspective (e.g., NIS2) but also to ensure that both your company and the entire supply chain are prepared for current and future threats.

Tip 5: Strengthen Organizational Resilience

Let me start with this message: People are the strongest link in the IT security chain. It is essential to raise awareness across the organization and turn employees into true defenders of corporate security. Investments in regular training and workshops are necessary to raise awareness of current threats and promote best practices. Well-informed and vigilant employees can identify and mitigate potential security risks before they become serious problems. It is crucial that management actively supports and leads these efforts. Leaders must set an example and continuously emphasize the importance of IT security. A strong security culture is built through the engagement and collaboration of all employees, from interns to the CEO. By working together and consistently raising awareness, the organization’s resilience to cyber threats can be strengthened, ensuring a secure future for the company.

Tip 6: Establish Continuous Security Processes

It is often observed that small and medium-sized businesses only take IT security seriously after experiencing a security incident or damage. Such incidents typically lead to the realization of the need for preventive measures, regular security assessments, and a comprehensive security strategy. Unfortunately, attention to security issues tends to wane over time, leading to the unsustainable implementation of many security measures. To counteract this problem, it is crucial for companies to establish structured security processes and clearly define responsibilities. C-level management must ensure that sufficient financial resources are allocated. Only then can a sustainable security culture be established and maintained over the long term. Top management support is essential to prioritize and allocate the necessary resources for effective security measures.

Tip 7: Demonstrate the Value

The question of the costs of security measures is one that is frequently raised in many companies. It is important to understand that IT security is not a “one-shot” project but a continuous process that requires constant attention and investment. This means that implementing and maintaining security measures entails financial costs, including expenses for security software, hardware, training, regular audits, and salaries for qualified personnel. These costs may seem high initially, but they are an investment in the future security of the company. The value of ongoing security measures lies in avoiding and minimizing potential damages. Without adequate security measures, companies can fall victim to cyberattacks, leading to significant financial losses, reputational damage, legal consequences, and business interruptions. The potential damage from a security incident can far exceed the costs of preventive measures. In the discussion about IT security costs, companies should consider the long-term benefits and protection these measures provide. The question should be less “What will it cost me?” and more “What will it cost me if I don’t have adequate security measures?” A comprehensive and continuous security approach not only protects against immediate threats but also strengthens customer and partner trust, ensures business continuity, and aids in compliance with legal requirements. Therefore, investing in IT security is a strategic decision that offers significant long-term benefits and protection for the company.

Conclusion

In today’s digital age, a proactive and comprehensive IT security strategy is essential for the long-term success and stability of any company. Establishing deep awareness of the threat landscape and clearly assigning responsibilities creates a strong security culture. Identifying and protecting the most valuable resources, along with considering the position in the supply chain, are crucial steps to minimize vulnerabilities. A robust organization is characterized by the continuous improvement and adaptation of its security processes, ultimately maximizing protection against potential damages and strengthening the trust of customers and partners. Investing in IT security is not just a necessity but a strategic advantage that protects the company from future threats and enhances its resilience.