Creating a strong cybersecurity posture needs to be seen as a “three-legged stool” that includes people, process and technology, according to Lisa Plaggemier, the executive director of the National Cybersecurity Alliance (NCA).
“Technology is important, but people can break the technology or they don’t adhere to processes – technology can be misconfigured or it can be purchased and then never installed, and then if it is installed it may never be properly configured,” Plaggemier said.
“Those are all people and process issues, which are actually more important than the technology – they are actually the cheaper initiatives to implement in your business, and it doesn't cost money to make sure that people only have access to the data and the systems that they absolutely need to do their jobs.”
Proper and thorough staff training is an inexpensive method that can significantly impact a business’s ability to stave off external threats.
“It's incredibly inexpensive, if not free, to train them to be the eyes and ears of the business watching out for social engineering attempts,” she said.
This is especially vital and true for staff who have access to money, such as accounts payable or finance.
“It's really important that those people are aware of how to tell something that doesn't seem quite right, whether it's a phishing email or phone call,” Plaggemeier said. “If a business views cybersecurity as the responsibility of its IT team, then this is an opportunity changing your thinking about this.”
While technology can have many benefits in streamlining operations and growth opportunities, it may at times be overhyped.
“We need to start looking at it a little more cautiously with a glass half empty mindset,” Plaggemier said. “Most business owners don't make their way into leadership as pessimists — they are pretty optimistic, and always looking for the upside and the potential.
“What this means is that you've also got to be more risk aware, and that's a mindset change for a lot of businesspeople.”
Plaggemier pointed to the growing pool of vendors that sell services or products to businesses but want access to their networks as well, creating prime opportunities for supply chain cyber breaches that are becoming more widespread.
“These business owners are more of focused on enabling their company’s operations and not so much on enabling the business to do things securely,” she said.
She pointed to instances of vending machines being installed in office buildings that are allowed to run off a company’s internal network.
If these are breached by a threat actor, the company can also become vulnerable to an attack.
“Businesses really have to have some sort of third-party risk process in place, no matter how simple,” Plaggemier said. “Businesses must think about who they’re giving access to its network? What data within those systems are they granting access to, because all those things, even though they enable efficiency and growth, they're all introducing some level of risk.”
With SMEs having a harder time establishing a strong cyber posture due to lack of internal resources or funds, it is important to teach business leaders how they can incorporate effective and cost-efficient methods in a way they better understand.
“There's a lot of technical solutions and a lot of technical training out there right now, but there's not a lot that explains it at the at the business level,” Plaggemier said. “Instead, it’s important to explain how to manage their security as a function of their business, rather than something that needs to be outsourced or cared for by a select few who understand the logistics.”
For their part, the NCA is offering a course called CyberSecure My Business, on which it has partnered with different industries, including some insurers, to help make SMEs more resilient to the constantly shifting threat landscape in a more tangible way.
“There is an opportunity to receive discounts on premium for clients who attend and finish this course and are covered by the participating carriers,” Plaggemier said.
