Smaller firms and charities face the same growing security risks as their larger peers, but lack of budgets and resources need not be a barrier to improving security, according to industry experts.
Security leaders from smaller organizations told Infosecurity Europe 2024 that it is not just financial constraints that limit options in smaller organizations.
A lack of people – with few firms having dedicated security teams, or even IT teams – calls for a more innovative approach. However, some of the issues, such as the need to explain cybersecurity risks in business terms, apply to organizations of all sizes.
According to Cheryl Sims-Hancock, cyber security lead at the Alzheimer’s Society, security budgets should be viewed in the context of IT budgets. Around 20% of spending goes on security. But, she added, the charity often works with even smaller organizations that have no security or IT capabilities at all.
This means working with those suppliers and partners to help improve their security, to protect the supply chain. “The challenge we have to address is to make sure third-party risk is nailed down,” she said.
Patch and Patch Again
John France, CISO at ISC2, agreed. “In SMEs, 95% have no one, or less than half a person, dedicated to cybersecurity,” he said. This makes it all the more important that smaller organizations focus on the basics.
Steps such as patching do not need specific skills, but rather rigor in making sure patches and updates are applied. “You need to understand what is important to you, and protect that,” France explained.
Smaller organizations can also make use of schemes such as CyberFirst and Cyber Essentials, which will build a base level of security at little cost.
Businesses can also make better use of features in software they already own, argued Don Gibson, CISO at Kinly.
“How many people have everything turned on and working that they are entitled to?” he asked. “I’ve never worked at a company that has, and that is really, really bad ROI.”
SMEs should look at the tools they have and see how they map on to their risk profile – products that are not being used can be removed and money saved. “Squeeze the tech,” Gibson advised.
Investing Without Spending
Spending money, though, is not the only way to improve security. Smaller organizations can bolster defenses through training and awareness, and by tapping into free resources.
“You have to make an investment, even if you don’t have finances to invest,” said Sims-Hancock. “There are free resources from suppliers, universities or the NCSC. And any small organization can get government-funded cyber awareness.”
Emma Philpott, CEO of IASME Consortium added that it was “really, really important” to make basic cybersecurity as easy as possible for smaller businesses, especially those outside the technology sector.