For as long as we’ve has been hearing about cyber incidents involving the theft of sensitive company data, we have been hearing from regulators, cybersecurity experts and business leaders about the importance of helping organizations become more secure and cyber ready. Yet, these discussions often fail to include small and medium-sized businesses (SMBs), the organizations making up our supply chains and serving as the backbone of the global economy that struggles to address these challenges with limited resources.
SMBs represent a critical vulnerability in the effort to improve the cyber defenses of all organizations in this interconnected global economy. These under-the-radar companies account for approximately 99% of firms in Organization for Economic Cooperation and Development (OCED) countries, a population that is too large, complex, and important to ignore or believe can be addressed with a one-size-fits-all solution.
To meet this challenge, there are several steps we can take to help SMBs that will pay dividends for every organization. For starters, being cyber ready is about people, not technology. The sometimes-innocent actions (or inaction) of our employees, colleagues, partners, suppliers and customers are the underlying cause of most cyber breaches. There are basic, common-sense actions we can take to secure our businesses and public institutions more effectively. Through an approach emphasizing training in good cyber hygiene practices, we can encourage SMBs to build a culture of cyber readiness. SMBs see value in this approach because it’s non-technical, low cost and can help avoid human error behind many breaches.
Companies including Apple, Mastercard, Microsoft and Principal Financial Group recognize the value of this approach. With self-guided training programs focusing on four key cyber issues—passwords, software updates, phishing awareness and secure file sharing—SMBs can develop policies, procedures and train employees.
The cyber battlefield is an ever-shifting landscape as attackers keep adapting, adding new tricks and exploits. Those trying to thwart an adversary that is constantly evolving must adjust tactics, adding new features to make it easier to implement effective cyber policies, prioritize what assets are most important to protect and develop business continuity plans to help businesses respond and recover should they be breached. We also need to make it easier to train employees by including short training videos and materials that can be shared within an organization to build awareness and gain commitment to best practices.
Today, this message is reaching only a fraction of global SMBs. Due to low awareness, lack of easy-to-understand and implement advice and proper incentives, SMBs are slow to adopt even the free policies and procedures that are available to improve their security.
As we look to the next five years, we recognize that to make our global institutions—large and small—more secure we need to focus on specific actions to assist SMBs. We see three areas to address:
1. Awareness: To scale global outreach, public and private institutions have an important role in reaching global SMBs through training programs offered by local cybersecurity organizations in most large economies and by organizations that maintain global supply chains taking a vested, active interest in improving the cyber readiness of their suppliers.
2. Implementation: Create a global standard certification process for SMBs recognized and supported by private and public institutions. To help make that a reality, we need to establish a global training network of qualified cyber coaches available to help local SMBs implement the policies and actions required to certify their organization is cyber ready.
3. Incentives: Establish incentives for SMBs to improve their business resiliency and security. For SMBs that produce evidence they have taken steps to make their organization cyber ready, why not automatically qualify them for a cyber insurance policy, perhaps even at a lower premium? To encourage good cyber readiness habits, large companies that operate global supply chains can create a preferred supplier category for SMBs that have gone through the Cyber Readiness Program or a similar certificate program.
In our interconnected and interdependent world, we need to ensure all SMBs are cyber ready if we want every business to be secure.