As a managed cyber security service provider, we speak to midmarket organisations about their attitudes and approaches to managing cyber risk on a daily basis. While Board members and senior executives alike tell us that protecting themselves, their partners and their customers from cyber attacks is a priority, their methods vary greatly, and more often than not the measures they have put in place don’t match up to the level of the threat they face. Why do so many midmarket organisations choose to bury their heads in the sand when it comes to managing cyber risk, and what can be done to help them address it?
Are we really a target?
To put it simply – yes. Cyber attackers and hackers know that large corporates will likely have a robust cyber security defence in place, consisting of advanced threat protection technologies, a well-educated workforce, and processes and procedures that adhere to the highest information management standards such as ISO 27001. Smaller organisations are often not as well protected and can be easy pickings. As an added bonus, if they have decent sized customers and suppliers they can be used as a way of infiltrating their networks too.
The IT/ICT team takes care of it
Cyber security is often regarded as falling within the remit of either the internal technology team or an ICT provider. This is a mistake. Even if you have dedicated in-house cyber security specialists, and you’re far from alone if you don’t, cyber security is an organisation-wide issue that deserves attention from the Board level down. Ask yourself, which Board member has direct responsibility for managing cyber risk? If the answer is no one, that needs to be rectified.
Many midmarket companies rely on external ICT providers for their networking, storage and communications needs. But that doesn’t necessarily mean that they are best placed to protect those systems and applications – cyber security is a specialist discipline that generally falls outside of the skillset of IT generalists. In fact, unless you have a contractual agreement in place, they may not even know that you expect it of them.
Most importantly, cyber risk is far from purely a technology concern. Process and educating your people are just as important, and your ICT provider and/or internal technology team will not, and should not, be expected to drive and take sole responsibility for it.
It’s too expensive and/or complicated
If you’re attempting to build your own cyber security function, acquire the necessary technologies and put the required processes in place yourself, then yes – it’s going to get pricey and has the potential to get messy. Before you can decide what to invest in – both in terms of products, people and processes – you need to know what your most valuable assets are and how exposed they are to a potential cyber attack. Only then can you figure out the best way to protect them. You’ll also want to make sure that you have complete control over and visibility into how well protected you are and be able to demonstrate that level of protection to your customers and other stakeholders. Increasingly, financial institutions and online businesses are performing risk assessments of their suppliers and asking them to meet certain cyber security standards. If you are unable to do this, you risk hindering the growth of your business.
We have more important investment priorities
We get it – cyber security isn’t a revenue generating activity, therefore it’s not as important as developing your new customer portal or investing in a new ecommerce website. But consider what would happen if your website were taken offline for 24, 48 or 72 hours and no one could place any orders, or the conversations you’d be having if a ransomware attack meant that you weren’t able to access any data or systems for a week. It sounds extreme, but it happens. All the time.
A cyber security and/or personal data breach has the potential to prevent your business from operating in the short-term, but the ramifications are far more wide reaching in the medium to long-term. The cost of containing and recovering from a breach can run into tens of thousands of pounds, and the damage to your brand reputation is impossible to put a figure on. Who knows how many potential customers will decide you’re simply not worth the risk?
Cyber security risk should be treated in the same as any other risk to your business – be that from fire, natural disaster or global pandemic. It must be planned for and it must be managed appropriately. This means getting a handle on the online assets which are of most value to the business, establishing how exposed they currently are, performing basic IT hygiene and maintenance and training your users to be cyber aware. It also means planning for the worst case scenario and developing a cyber security incident response plan if you don’t already have one.
By not adequately addressing cyber security risks your organisation effectively becomes a risk itself – to your customers and partners. As your peers and suppliers up their cyber security game in order to remain competitive and attract new business, so you will have to do the same. If the pandemic has taught organisations anything it is that long-term value and sustainability are crucial to success, and those organisations that can proactively demonstrate their commitment to preventing a cyber incident are best positioned to achieve it.
While it can be expensive and complex to build and maintain an in-house cyber security function, there are alternatives. Cyber Security as a Service (CSaaS) is a subscription-based cyber security management model that brings together the three fundamental pillars of a comprehensive strategy – people, process and technology – and gives organisations a near real-time view of their cyber risk position. The most advanced services can also incorporate any existing technology investments you’ve made into that view. You can find out more about CSaaS and whether it’s right for you here.
Written by Pete Bowers
Pete Bowers is COO at norm. where he is responsible for the overall operational and financial functions of the business. He also oversees customer innovation and success, and plays a pivotal role in the ongoing development of cyber security and data protection services which deliver transparency and tangible value to norm.’s growing client base.