Cybersecurity and cybercrime have continued their near exponential growth in 2020 with an estimated 85% more cybercrime globally than was reported in 2019. There is increased focus and thought being put towards cybersecurity in both commercial and government sectors.
In August 2020, the Australian Government released Australia's Cyber Security Strategy 2020. Amongst various plans and commitments to invest heavily in cybersecurity over the next 10 years there were calls for action to be taken by businesses to secure their products and services and protect their customers from known cyber vulnerabilities.
Detailed in these calls to action was reference to possible regulation for IT practitioners as well as the possibility for imposing liabilities to company directors who fail to adequately protect their products, services and customers from cyber threats.
Cybersecurity is emerging as a major threat to global economy and governments alike. It's not unreasonable to assume that it is only a matter of time before cybersecurity becomes a director obligation alongside workplace safety.
The Move Has Already Begun
Unsurprisingly the finance & insurance sectors have already begun taking security compliance very seriously. For the last several years, businesses working in and around these sectors have been increasingly asked to prove compliance around various aspects of information management, security and procedures.
More recently, these levels of compliance have become a prerequisite of doing business. In many cases, tenders and contracts are only being awarded to companies that have ISO 27001 accreditation.
Undoubtedly, these requirements are going to trickle down the supply chain. At some point accreditation is likely to be a business necessity even without government regulation.
Understanding Information Security Standards
There are several frameworks that deal with information security. Certain frameworks tend to be more common in different countries around the world. Australia appears to be largely settling on ISO 27001 as the standard.
Despite the differences, all frameworks are essentially a blueprint for building an information security program to manage risk and reduce vulnerabilities. These consist of the policies and procedures required to effectively operate and manage information security. In layman's terms, there are the activities that need to be done (tasks), the manner in which they need to be done (procedures), and the governance that needs to oversee the procedures and adjust them as necessary.
Preparing For The Future
In most cases it is not yet commercially viable for an SMB to chase accreditation. The challenge however is that when that changes, it is not something that can simply be built in a quarter. Rather, there are layers that need to be built and built upon.
There are however elements of a framework such as ISO 27001 that should be adopted now regardless of regulations. It is these activities, procedures & governance that SMB's should be implementing now in alignment with ISO 27001 in preparation for the future. In the event that accreditation does becomes requirement, you would already be 70% of the way there.
Some of these key elements include:
- Having documented security standards & best practices.
- Processes to regularly review these security standards and ability to adapt them to meet ever evolving cyber threats.
- Procedures for implementing security standards in a consistent manner.
- Procedures for regularly auditing systems against the standards to uncover gaps and mis-alignments with configurations.
With cyber threats consistently evolving to use ever more sophisticated approaches of attack the above elements are crucial if you want to be serious about cyber security. Put simply it has become a high paced arms race.
Just like a true arms race, your strength today means little without the capability to keep up with the other sides developments. Similarly, the best virus protection, firewalls and SPAM filtering will ultimately become irrelevant without the capability to constantly adapt to emerging threats.
Security Practice within an SMB
Implementing a cyber security practice can be expensive. It's something that should be integrated into existing IT support and maintenance. For this reason, IT Managed Service Providers (MSP) need to step up and meet the growing needs in SMB.
Unfortunately, most MSP's have long been poor at observing the changing needs of SMB's. This has also meant they have been slow to evolve their technical offerings. Many SMB's are finding themselves in a position where they can no longer wait for their provider to proactively initiate change.
There is no one size fits all. You need an IT offering that meets your required level of protection. In 2021, there are however some basics that should be in place:
- Security should be a topic of conversation with your MSP at least quarterly. MSP's are not security focused if they do not have regular recommendations and advice.
- Managed Anti-Virus is no longer enough. Your security technology should cover multiple threat vectors and include unified threat management, MFA, DNS filtering, and up to date security policies as a minimum.
It is easy to overspend on cyber security. It is even easier to be complacent (see IT Security: Why Most Get It Wrong). Ultimately keeping an SMB secure from cyber threats requires good process and the right relationship. Without it you are not only insecure now, but you're failing to prepare for the inevitable future.
Sometimes the first step is simply to get another perspective. Want to talk with us about an alternate approach to IT security? Please get in touch and we'd be happy to share our insights!