The United Nations has declared that COVID-19 presents the greatest test for humanity since World War II. The outbreak of the Coronavirus pandemic made it clear that Small and Medium Enterprises (SMEs) need to have the ability to adapt to emergencies and challenges, no matter where they originate from – hygienic, climatic, technological, natural.
Evolution is Crucial
To adapt and evolve effectively, businesses need to have a broader view of the global environment and understand the impact of each development. A great resource for valuable knowledge is the World Economic Forum’s Strategic Intelligence initiative.
Evolution should be part of the strategic and operational planning of every SME. Failure to address not only today’s but also tomorrow’s challenges will result in businesses being outpaced by the developments – become legacy and finally extinct.
Cybersecurity should not be an afterthought
However, technological evolution should not result into security being an afterthought. New technologies, such as IoT, 5G, AI and ML, create many opportunities for increased productivity, enhanced time to market, and reduced costs, but they also create an increased attack surface if businesses fail to mitigate the novel cybersecurity challenges.
Criminals and adversaries are keen on exploiting known security gaps and vulnerabilities to launch cyber-attacks and breach sensitive business assets – systems, infrastructure, and data. The recent SolarWinds supply chain attack is a fine example of how advanced and sophisticated attacks can become.
The cyber-attacks or cyber-crime statistics are compelling:
- According to the World Economic Forum Global Risks Report 2021, cybercrime is the second biggest risk for doing business in the next 10 years, second only to climate/natural disasters.
- The Verizon Data Breach Investigations Report indicates that 86% of breaches in 2020 were financially motivated.
- According to Accenture, security breaches have increased by 11% since 2018 and 67% since 2014.
- The average ransomware payment rose 33% in 2020 over 2019, to $111,605.
- 59% of buyers are likely to avoid companies that suffered from a cyberattack in the past year.
- 56% of Americans do not know what steps to take in the event of a data breach.
- 70% of consumers believe that businesses are not doing enough to secure their personal information.
- 95% of cybersecurity breaches are caused by human error.
The above statistics highlight the importance of investing on cybersecurity. This is even more important for SMEs, since according to the World Bank they represent about 90% of businesses and more than 50% of employment worldwide. Formal SMEs contribute up to 40% of national income (GDP) in emerging economies. These numbers are significantly higher when informal SMEs are included.
Funds are not infinite
To manage risks and become resilient against disruptions, funds need to be allocated. However, these funds are not infinite – quite the contrary. In a constantly changing and shifting business environment, money is an emperor.
According to a PwC’s COVID-19 CFO Pulse survey, businesses are mostly concerned about a possible global economic downturn and financial impact on their company. Most businesses anticipate a significant effect on their revenues: more than half (53%) expect a decrease in revenue and/or profits of up to 25% because of the crisis.
The World Bank predicts that the global economy will experience the deepest recession since the end of World War II, with a 5.2% contraction in global GDP in 2020. The European Commission projected that the EU economy will decrease by 7.5%.
Resilience is the key
To address the challenges of an ever evolving and shifting business environment, 65% of businesses cite resiliency and agility as the key factors to build a stronger organization. Businesses should make resilience part of their everyday strategy. The ability to sustain operations even through a cyber incident or a disaster is essential for your business to survive.
According to FEMA, 25% of businesses do not reopen following a major disaster. It only takes one severe weather incident to pose a major threat to company operations by damaging assets, disrupting supply chain, and restricting employees from doing their job.
In recognition of this necessity, only 11% of the businesses are likely to cut from their planned digital transformation investments to offer better, customer-oriented products and services. Businesses should continue to pursue their plans to accelerate automation and improve their customer experience.
Where to invest in cyber resilience
To achieve the desired level of cyber resilience and a strong cybersecurity posture, SMEs need to invest in the three pillars of people, processes, and technology.
Where to invest: People
The critical role that security training has on data security cannot be understated. The 2020 Webroot Threat Report found that running 11 or more training courses over the course of 4-6 months reduces the click-through rate of phishing emails by 65%.
Funding cybersecurity training is not just a way of mitigating current threats. It is an investment to keep your business safe in the future as new threats emerge. Offering training for staff who are keen to learn relevant skills will be much more cost-effective than hiring expensive and hard to find professionals and paying huge sums to reduce the consequences of an attack.
Offering cybersecurity training is about being proactive. Taking a proactive approach to protecting your business will place you in a better position in the future. Providing training for staff will offer you an immediate return on your investment since they could tweak daily practices to make them more secure and help plan for the most secure ways to run future business operations.
There’s no better opportunity than investing in and upskilling your staff on a continuous basis. Since cybersecurity is not just a single qualification, you may take advantage of plenty of regularly updated courses, covering the latest threats and accommodating learners of all levels, from foundation courses through to expert. For example, the European Union Cybersecurity Agency (ENISA) offers free training material specifically tailored for SMEs.
Where to invest: Technology
Besides investing in your people, you should also invest in technology to help them strengthen your business. Long are the times when businesses could afford tackling cyber issues by leveraging manual tools. Nowadays, the key word is automation.
By deploying automation solutions, you will be able to get rid of error prone and time-consuming manual processes. In addition, your staff can focus on things that really matter and hence achieve an increased productivity. Investing in automation technology will help you improve your daily operations.
Although cost and lack of knowledge might be barriers to rapid adoption of automation solutions backed by Artificial Intelligence (AI), SMEs should start investing in them for better detection, prediction, response, and for saving time and money. In fact, 81% of SMEs believe that AI will be able to improve the security posture of their organizations.
Where to invest: Processes
Sun Tzu says that you should “know thyself, know thy enemy” to win a thousand battles. In our modern business environment, this can be translated as “know your risk tolerance, know your threat environment.” Establishing and enforcing policies and practices for strengthening your cybersecurity posture is a great proactive approach.
This approach should be based on risk assessment and analysis. You should start by defining your risk tolerance and understanding your threat surface. Having visibility into your assets and data and mapping their vulnerabilities and risks will help you develop and implement adequate countermeasures to close these gaps.
In addition, you should be aware of the regulatory compliance requirements. Being compliant is not just a check-mark exercise. It is about building and maintaining a culture of continuous evolution of your cybersecurity practices to adapt to the shifting threat landscape. Signing in for cybersecurity intelligence from CISA is a fine way for gaining insights into the threat vectors employed by criminals.
How to invest
Once you have identified the areas where you should invest, the next stage is to persuade your financial department to allocate the required funds. Since your budgeting officer may not understand cybersecurity, it is advised that you speak his language – ROI (return-on-investment). Because cybersecurity budget requests are difficult to quantify, you should compare security investments with the potential liability caused by security breaches.
To start the budget discussion, you must stress cost avoidance and relate the threats to the impact on the business. For example, if you rely on the internet for sales, the security and availability of your e-store is a critical point because it will shut off your primary business conduit.
Finally, your security investment requests should consider the financial constraints of your business. Businesses do not have unlimited funds. You could suggest establishing an annual percentage that gets reviewed quarterly based on earnings and the economic uncertainties. Building a 3-year rolling budgeting plan is a great way of ensuring that security is always financed. If earnings grow faster than anticipated, then more funds could be allocated to cybersecurity.
About the author: Anastasios Arampatzis, Is a Cybersecurity and Privacy Content Writer. Follow him on Twitter @TassosAramp
Before you go..
If you found the topic interesting, you can join our free monthly newsletter. It’s filled with insights written by industry leaders who will keep you up-to-date on what is going on in the world.Get our newsletter