BCS MEMBERSHIP

Lady Smiling Nav

Join the global and diverse home for digital, technical and IT professionals.

CHARTERED IT PROFESSIONAL

CITP Logo (1)

CITP validates technical expertise and professional behaviours in the tech industry

STARTING YOUR IT CAREER

Girl With Braids Nav

Kick-start a career in IT, whether you're starting out or looking for a career change.

SOFTWARE TESTING CERTIFICATION

Man Writing

Over 100,000 professionals worldwide are certified with BCS.

ESSENTIAL DIGITAL SKILLS

Lady In Green Hijab Nav (1)

Improve your digital skills so you can get on in today's workplace.

EVENTS CALENDAR

Group Of People Smiling

View all of our upcoming events.

ARTICLES, OPINION AND RESEARCH

Man On Tablet

The latest insights, ideas and perspectives.

IN FOCUS

BCS MEMBERSHIP

CHARTERED IT PROFESSIONAL

STARTING YOUR IT CAREER

SOFTWARE TESTING CERTIFICATION

ESSENTIAL DIGITAL SKILLS

EVENTS CALENDAR

ARTICLES, OPINION AND RESEARCH

IN FOCUS

Matthew Mackay, Security Practice Lead at Logiq, explores the need for a principles based approach for helping SMEs strengthen their security posture.

Strong cybersecurity practices can not only enable SMEs to protect themselves from cyber threats, but also offer a competitive advantage, particularly in sectors where cyber security is a prerequisite for contracts, such as defence or government.

Given that determined attackers with sufficient resources can breach systems, organisations should be focusing on aligning security activities with the business’ need to effectively allocate resources. Cyber resilience ensures an organisation can withstand, respond to and recover from cyber threats, and today’s SMEs can reduce the likelihood and impact of successful cyber-attacks and enhance their ability to recover from them by incorporating a layer defence model. 
Yet many SMEs find it difficult to implement such an approach. Here I will look at some of the barriers, as well as outlining some points to consider in helping SMEs bolster their cyber resilience.

Addressing resource challenges

Cyber resilience is a complex issue that spans multiple business functions. For SMEs, allocating resources to this area can be particularly challenging due to the wide range of policies and procedures to navigate, many of which are not managed by a single department. As a result, cyber resilience efforts often lack clear ownership and coordination.

Without dedicated cybersecurity teams or sufficient funding, SMEs often struggle to prioritise security, leaving them highly vulnerable. There is a need for clear guidance and structured approaches to improve resilience, but there are very few tailored frameworks to help SMEs assess their cybersecurity posture and respond effectively to emerging threats whilst addressing these resource challenges. Addressing these challenges requires a different approach that aids SMEs to prioritise and strengthen their cyber resilience.

Maintaining effective governance

Effective governance is crucial in cyber risk management, ensuring security efforts align with business objectives. Senior leadership plays a key role in setting direction and integrating cyber security into strategic planning.

With the evolving threat landscape, there is a critical need for board-level discussions on cyber security to safeguard business functions and reputation, with security metrics playing a fundamental role in providing risk visibility and enabling informed actions. Highly effective risk management involves identifying vulnerabilities, assessing existing controls and determining asset value to implement appropriate mitigations.

This can be achieved through the National Cyber Security Centre (NCSC) Unacceptable Losses approach ensuring that security activities are framed around losses (financial, operational, regulatory, reputational etcetera) that would prevent the organisation from achieving its objectives and within a clear tolerance set by the organisations senior leadership.

Security culture

For SMEs, fostering security awareness and encouraging good practices among employees is essential. A strong security culture can address behavioural risks that often lead to data breaches. By embedding security into daily operations, SMEs can significantly enhance their overall resilience.

Given the socio-technical nature of modern systems, organisations must engage employees in security awareness initiatives. A well-informed workforce can serve as a frontline defence, effectively identifying and preventing cyber incidents.

Business continuity

Business continuity ensures that critical functions can be maintained or quickly restored after a disruption. To be effective, these plans must account for various potential disruptions. Business continuity plans should focus on sustaining essential operations during a crisis and restoring normality as quickly as possible.

Yet it’s important to note that continuity planning should not be overly centralised, with teams responsible for specific functions leading in their respective areas. Clearly defined roles and responsibilities, documented in the plan, are key to success. A well-structured and rehearsed plan enhances an organisation’s ability to respond effectively to cyber threats.

The impact on reputation

In an uncertain business environment, Deloitte notes that an organisation’s response to crises significantly influences its reputation in Reputation Risks: How Cyberattacks Affect Consumer Perception (2020). Neveux highlights that reputational damage from cyber incidents is often overlooked, despite a Forbes Insight Report finding that 46% of organisations suffered brand damage due to data breaches. The Aon and Pentland Analytics Report (2018) () further underscores the financial impact, revealing that some companies saw share prices drop by up to 25% a year after a cyber-attack. These risks provide a compelling case for board-level engagement, emphasising both reputational and financial consequences.

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

A principles based approach to SME cyber resilience

To support the challenges outlined above, I argue that rather than relying on rigid compliance frameworks, SMEs should adopt a principles based approach to cyber resilience. The NCSC promotes core security principles that offer flexibility, allowing organisations to tailor security practices to their specific needs.

Similarly, both the Cabinet Office and UK Ministry of Defence have introduced secure by design initiatives, underpinned by 10 and seven principles respectively, to help improve the cyber security posture of the public sector. These principles are just as relevant to any organisation, not just those within the UK public sector.

Existing frameworks and standards may be dismissed by SMEs as they contend with their resource constraints. To address this concern the following principles have been introduced to help guide SMEs towards improved cyber resilience:

  • Obtain and maintain senior leadership buy-in — secure active support for security initiatives, align risk appetite with business objectives, ensure security activity is budgeted effectively, and ensure dedicated resources are allocated.
  • Align cyber risk management to organisational objectives — ensure that security activities are aligned to business objectives and ensure robust risk management processes, implement robust security controls based on thorough security requirements and manage supply chain risk. Ensure that technical risks are communicated as business risks which should be owned by the respective business function.
  • Empower and support employees through security awareness — recognise employees as the largest attack surface, provide ongoing security training and maintain a strong security culture.
  • Establish and maintain organisational resilience — identify critical business functions, develop and maintain business continuity and disaster recovery plans, regularly rehearse response strategies, and ensure that lessons are used to update policies and procedures.
  • Manage the organisations reputation as a critical element of its resilience — protect brand reputation by implementing basic security measures and ensuring clear communication during security incidents.
  • Seek support when required — leverage guidance from the National Cyber Security Centreregional cyber resilience centres and other industry resources, and reach out for specific support when this is required.
  • Learn lessons — ensure that there is a robust lesson learnt process, and that policies, processes and procedures are refined from experience.

Conclusion

The consequences of a cyber attack can be devastating for SMEs, leading to financial losses, reputational harm and even business closure. By adopting a proactive approach, ensuring that security activities are aligned to the business objectives, SMEs can build a strong foundation for cyber resilience.

The principles outlined in this article provide a structured and pragmatic framework, enabling SMEs to enhance their cyber security posture without the constraints of rigid compliance frameworks. By integrating these principles into their operations, SMEs can improve their ability to withstand cyber threats and thrive in an increasingly digital landscape.

Topics

Security / data / privacy

Related

BCS comment
Post office sign hangs above storefront

Post Office Horizon Scandal report volume one – BCS response

15 days ago
Article

Why are passkeys more secure than passwords?

23 days ago
Article

Learning from Ukraine: how can disinformation be defeated?

26 days ago