Cybersecurity leadership for small businesses

A screen with a mouse pointer hovering over the word "security".
(Image credit: Pixabay)

For a small business, having a fully-fledged cybersecurity team is highly unlikely, due to budgetary constraints. This does not however mean that small businesses aren’t getting attacked.

In a previous role as Detective Sergeant leading the Covert operations and Cyber Crime teams, the volume of successful attacks that my team and I knew about was always high. The attack methods varied too, but what was consistent, was that we would see comparatively smaller amounts being stolen, less than £5k. This isn't newsworthy but is a significant hit to smaller businesses and a great return for Cyber criminals who have likely put in minimal time to the attack.

Small businesses that do not have the basics in place are the perfect target for cyber criminals. With a lack of security controls in place (including effective policies & procedures) and regular payments coming into and out of their bank account, it is easy to see why smaller businesses are a prime target.

This high volume of incidents means that budgets notwithstanding, SME have no choice but to engage with cybersecurity. While a large cybersecurity team in the same vein as an enterprise may be an unrealistic expectation, there are options for smaller organizations hoping to show leadership when it comes to cybersecurity.

Adam Pilton

Cyber Security Consultant, CyberSmart.

Inhouse or outsourced

That smaller companies cannot afford to hire a full-time senior cybersecurity role means that they have decisions to make. Do they employ a more junior role, or outsource cybersecurity leadership to a virtual CISO? The decision depends on the cybersecurity knowledge currently within the company and the strategic vision of the company.

A junior role would allow the company to afford to take on a full-time member of staff who will get to understand the company and its culture. This role would also be able to influence the culture and become the knowledgeable point of contact for cybersecurity questions; Having someone in-house means that they could be a visible point of contact, answering the questions on everyday subjects such as emails.

Clearly however, with this option there are drawbacks. The more junior position could lack experience and may not be able to handle complex situations that arise. This too could impact upon the progress the company makes in improving its cybersecurity posture. There would also be additional costs associated with a more junior role, such as training and development requirements, - although, some organizations could look upon these as an investment.

Conversely, engaging the services of a virtual CISO means the individual would be able to hit the ground running, providing instant experience, and most importantly, being able to develop a strategy for the company. The flexibility in this outsourced, part-time role allows the company to use the CISO as and when they require them. If compliance is a necessity for the company, the CISO would be able to ensure that the relevant security regulations are achieved.

Again however, there are drawbacks The CISO would be completing their work with less time available to them and would not have a team to delegate work to. This means they would either have to engage in more everyday cybersecurity tasks themselves, or use unskilled staff who are performing this work as a secondary responsibility. The CISO would also likely come at a greater hiring cost and the fact they are part-time may impact their responsiveness.

The final option that should be considered is a Managed Security Service Provider (MSSP). This could be a cost-effective way to have cyber security expertise on tap, at all times of day and night. The MSSP would get to know your company and can provide additional resources as the company grows.

However, it is worth noting that by using an MSSP the company will in effect be handing over control of their security to a third party, so they must recruit wisely. Depending on the MSSP used, the company may lose the benefit of a cyber security posture which is personalized to them, as some MSSPs will use certain products for all their clients. The final point that is worthy of consideration is additional charges. Some services may incur additional charges and if the company did have an incident that requires expertise and additional resources.

When to take the cyber plunge

The answer to this question varies for every business. Smaller companies should be looking towards Cyber Essentials to ensure they have the basics in place and that they are no longer the low hanging fruit.

Smaller companies that have achieved Cyber Essentials should then consider obtaining Cyber Essentials Plus. This acts as an external verification that the controls within Cyber Essentials have been correctly implemented. Most importantly though, this standard needs to be maintained throughout the year.

As your business grows, it is even more important to understand what assets are important to you, how you protect them and what processes you have in place should the worst happen. This is when the workload increases and may become too much for the individual(s) that are responsible for cyber security at that time.

Other factors that are worth considering is the industry that you are in. If you are in a highly regulated industry, it may be wise to recruit a cybersecurity specialist sooner. They will help you ensure that your business is meeting the standards required to maintain compliance and keep your business operating.

On many occasions, businesses recruit cybersecurity personnel after a breach has occurred. Although this is understandable, this is not the ideal time. Most businesses would have already spent a significant amount of money responding to and recovering from the breach and recruiting personnel at this stage will likely mean you will be recruiting in a rush; This could lead to hurried, incorrect and expensive decisions.

Fostering a culture of security

One of the biggest challenges that faces organizations of all sizes, but particularly smaller organizations, is cyber security awareness. Ensuring that everyone in the company is aware of the latest threats and how these could impact their role is vital.

A business can spend a significant amount of money protecting itself but if one person is unaware of the latest threat and clicks a phishing email or is duped by an AI enabled spoof call, then these controls will likely be ineffective.

Creating a culture whereby cyber security is both important and a consideration in day to day business is hard to obtain but easier to achieve when a business is smaller as it can be easier to communicate, especially messages from senior leaders who are likely to be closer to the ‘front line’.

A strong culture within a small business promotes a shared responsibility amongst limited resources, providing the business with a level of security that matches any specific hires they could make.

We've listed the best cloud antivirus.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:

Adam Pilton, Cyber Security Consultant, CyberSmart.