Demands on the cybersecurity front could soon make small companies uncompetitive, a cybersecurity expert is warning.
Cybersecurity is becoming a condition of business in the European Union and the USA and is for many the cost of entry into a market that goes beyond products or services.
Author of the book 'She'll Be Right (Not!) – a cybersecurity guide for Kiwi business owners – SMB cybersecurity expert Daniel Watson, said that more and more large corporate organisations, both in New Zealand, Australia and further afield, are demanding increasingly high standards in cyber security from suppliers.
“Achieving a high level of IT system security is expensive, time consuming and it never stops. It is going to get more expensive to cope with the evolving sophistication of criminals, which could well reach levels beyond the resources of some smaller businesses.
"In many ways you could say that cybercriminals are doing certain SMEs out of their ability to do business by triggering harsher regulatory and corporate requirements. They are creating conditions that may demand a very intentional approach to information security and it’s only going to get worse as insurance companies and multinationals demand proof of their partners' commitment to securing their data.”
Watson likened the cybersecurity environment to the arms race between the cheetah and the gazelle. The cheetah is chasing down lunch. The cheetah needs only to focus its efforts on the sick and lame, and right now the hunting is good.
“The digital divide between small mom-and-pop companies and your large organisations will only grow, which I guess affects the consumer in the end because there’s less market competition to control prices across all sectors.
“At the moment the minimum cybersecurity investment by small businesses should be anything from $10,000 – $20,000 and that number will increase. Currently most companies are not even investing near what is needed, and I believe they are at risk of having the rug pulled out from under themselves at any minute.”
He suggests that Kiwi companies take the following steps if they want to remain competitive in the current and future high risk cybersecurity environment:
- It starts at the top
To be effective cybersecurity needs to be governance related and driven from the top down – starting at board, CEO or director level.
“Somebody at the top level, over and above your IT person or team, needs to take responsibility. If nobody is ultimately responsible or you simply assume the IT guy has it sorted, I would be worried,” said Watson.
- Get compliant
A recognised international compliance regime will effectively make a business worthy of confidence and trust.
"For example, the ISO/IEC 27001 Certification is a recognised international standard for information security management and will help ensure compliance with The Health Insurance Portability and Accountability Act (HIPAA) in the United States, and The General Data Protection Regulation (GDPR) in the European Union."
- Identify the Crown Jewels
Watson cautions companies from leaping into the next level of firewalls and measures like network segregation before they understand what is at risk.
"A blanket approach can be very expensive, while neglecting to identify your most important assets – like critical production processes, data and intellectual property – could prove equally if not more expensive. Understand what needs to be protected and then you can be laser focussed on resourcing the protections needed.
"For example, what are you selling? What could stop your business cold? What private information do you hold and where is it any given time? What is the worst that can happen? What are the risks? How do we mitigate, transfer or eliminate those risks? Remember doing nothing is effectively putting your head in the sand and accepting responsibility as a director for the risk."
And, said Watson, make sure you are asking the same hard questions of your own suppliers and business partners.
For more information visit: Daniel Watson LinkedIn