How to make cybersecurity accessible to SMEs
Cybersecurity is often regarded as complex and expensive and a typical SME doesn’t have a full-scale IT department or has totally outsourced IT. Most would never dream of hiring a CISO, and so look at cybersecurity as yet another thing they have to do. To make matters worse, cyber criminals are keen to steal smaller amounts of money from a larger number of people. They’re away from the FTSE/Fortune 100 and towards the SMEs. As a sector, we need to democratise access to cybersecurity so that basic cyber hygiene is not just reserved for big businesses with big budgets.
Cybersecurity should matter to SMEs because larger businesses (including potential clients) won’t want to engage with a small firm that doesn’t have a positive, accessible cyber status. ISO27001 is a good starting point for medium sized businesses, but out of reach for smaller businesses.
Cybersecurity should be private, easy to use, multilingual, global and, wherever possible, free. The latter is what the Global Cyber Alliance specialises in, however, there are many other reliable “freemium” services out there. For example, 1.1.1.1 and 8.8.8.8 are free protective DNS services that sit alongside 9.9.9.9 (or Quad9) – created by GCA, PCH & IBM. Quad9 now protects millions of users worldwide and blocks 60 million potential cyber events every day, while the other “quads” are similarly well known.
There is a growing groundswell of opinion that good cybersecurity should not be something which only big business and governments have access to. Similarly it used to be the case that only big businesses provided cybersecurity solutions. We have seen governments get more involved with NCSC in the UK leading the way but also LORCA in the UK, Silicon Valley and Israel are all amongst many initiatives to allow cyber start-ups to flourish in a market which was dominated by big household names. This is important to provide solutions for small businesses by small businesses. The role of the ‘third sector’, charity or NGO’s is also starting to mature, Global Cyber Alliance being one of many alliances working alongside NGO’s like the Cyber Peace Institute and others to bring about cyber hygiene as a right not a luxury commodity.
Don’t make yourself a target: the role of standards
Cyber criminals also look to these indicators of maturity when searching for easy. At the Global Cyber Alliance, we’re fans of a global standard called DMARC. Without this, anyone can send an email using your corporate email address. Before HMRC implemented this standard, 500 million emails a year were sent in their name initiating phishing emails and fraud. We’ve noticed that when people implement DMARC initially they are amazed at the number of people who are trying to impersonate them.
However, over several weeks small businesses all notice the same scenario – that criminals impersonate their domains less. In other words, by setting DMARC it’s a beacon to the criminals to demonstrate IT and cyber maturity. Cyber Essentials and ISO27001 also have this effect. However, these badges also help to drive business while spreading the culture of safer SMEs.
