In an exclusive interview with Cyber Intelligence, Brian Buiwe, Technology Specialist at Sage, explains how SMEs and other smaller organizations urgently need to re-address their approach to cybersecurity.
Cyber Intelligence: How aware are smaller organizations of the growing need for cybersecurity in the face of rapidly growing cybercrime and industrial cyber-espionage?
Brian Buiwe: There is a huge knowledge gap among C-suite executives of small-to-medium-sized enterprises (SMEs), as well as among other professionals such as senior doctors and lawyers, where cybersecurity is concerned. Many do not yet grasp the urgent need for cybersecurity. The mainstream media has actually done a very poor job of keeping them informed of the growing threat facing all sectors.
Cyber Intelligence: Then how do you begin their education in cybersecurity?
Brian Buiwe: It is important to start with a broad view of the issue. For example, we conducted some recent training based around the topic of data security, which is about as wide a topic as you can have. But this enabled us to introduce ancillary topics such as the use of personally identifiable information (PII) in order to understand what constitutes sensitive data. We then broaden the discussion to explain further protocols that can be introduced to safeguard that sensitive information.
Cyber Intelligence: Many small-to-medium-sized organizations supply products or services to larger bodies that hold vast amounts of sensitive and critical data. How aware are SMEs of third-party risk?
Brian Buiwe: This is another area that can be addressed through regular training sessions. SMEs must be made aware of the growing need for compliance with new rulings coming into force across the US and overseas. For example, a company that is based in Texas may supply services to California, in which case it must also comply with California state compliance regulations. Those who provide services on an international basis may also have to comply with upcoming European regulations such as the Digital Operational Resilience Act (DORA.), which comes into force later this month.
Cyber Intelligence: Can you give an example of the type of organization that you helped with compliance issues?
Brian Buiwe: For example, a company in a medically adjacent field, such as dentistry, etc, will have responsibilities to safeguard third-party data of which its board may be unaware. When the responsibility for cybersecurity is explained in terms of mandatory compliance, these organizations are generally less anxious to comply, as they understand it is a legal requirement for doing business.
Cyber Intelligence: How much of a problem for SMEs is staff ignorance regarding using the same devices for work and leisure?
Brian Buiwe: This can be a problem, as many SMEs still continue to encourage staff to use their own devices for business use. The Bring Your Own Devices to work (BYOD) approach is still seen as a cost-saver by many SMEs. The organizations concerned are often unaware of how many services and potentially weaponized apps staff have downloaded onto devices they also use for work. In some cases, it is necessary to advise SMEs to invest in supplying employees with dedicated devices for work. This can also help with establishing a work/life balance for staff, who may otherwise suffer burnout from feeling that their devices make them potentially available 24/7. But there is no ‘one-size-fits-all” solution. It really depends on the type of data each organization handles and which staff require access. In some cases, staff may be allowed to continue using existing devices with further training on how to make them secure.
Cyber Intelligence: Do SMEs still see cybersecurity as an afterthought when planning business growth?
Brian Buiwe: This can be a problem that many organizations need to face up squarely when they start to grow. An organization with 50 staff or less is in a position to adopt one-off cybersecurity fixes. But when that organization starts to grow, it is no longer advisable for them to do so, as entry points for bad actors will multiply as the business starts to take off. As Sage advises companies on all aspects of their digital and IT strategy, we can also advise on how to incorporate up-to-date cybersecurity safeguards and protocols at appropriate stages as part of an ongoing cybersecurity program. Cybersecurity should be part of an ongoing program and not seen as a periodic one-off.
Cyber Intelligence: Thank You.
