For the many cybersecurity practitioners living in the shadow of threat actors and adversaries, I can’t even imagine what the battle is like, and for businesses still struggling to establish a baseline cybersecurity solution for their operations, I commend your efforts. We are all living on the edge in anticipation of an attack soon to come, already in place but haven’t been detected yet, or recovering from a terrible attack.
Living on the edge means living in fear of the unknown or what is to come. For small and medium businesses with inadequate security controls in a place characterized by budget constraints, inadequate expertise, and lack of capability and influence, it is obvious that you need assistance to complement your efforts.
Security Poverty line (SPL) is a baseline minimum-security posture that every company should maintain. it does not only address challenges faced by small and medium businesses that struggle to meet up with baseline security and regulatory requirements but also large or big corporations that underinvest in security.
We live in a digital ecosystem where most, if not all businesses rely on other businesses for survival. No business operates in isolation but rather a constant “food chain” of businesses surviving on the operations and assurance of other third-party businesses. This supply chain creates an environment of dependency and therefore a need for all businesses to operate under a baseline security obligation across all domains since an attack on one business has the surest tendency to impact other businesses in the supply or “food” chain.
It is, therefore, necessary that cybersecurity organizations, regulators, and communities come together to address challenges facing businesses, especially small to medium businesses, to rise above the security poverty line in order to sufficiently ensure that all businesses attain practical, consolidated, and matured security posture that ensures the security of all.
SMBs are in dying need of support and assistance. If we don’t address the least prepared in the world, the most prepared will suffer.
Data shows that SMEs are the most attacked and experience most security incidents; 43% of attacked were targeted at SMEs in 2019 and 46% in 2021 (Verizon). 36% of SMEs consider themselves below the Security poverty line (Duo Security, 2019) and 75% of healthcare providers that fall within the SME bracket are below the SPL. It is even worrying to know that security incidents in 2018 affected 67% of surveyed SMEs (Accenture). SMEs that face critical security incidents collapse in 6 months. Now, treat landscape has widened, attack surface has increased, and attacks are even more complex and sophisticated.
Four known reasons underpin the struggles of businesses below the security poverty line;
Security in itself is very expensive. There is no finish line for security, there is no shopping list for security. You cannot go to the market and buy all your security needs. Unfortunately, many SMEs are not prioritizing investment into cyber security which exposes them to attacks.
For most organizations below the SPL, money is a major constraint. Small businesses are swelled up with regulations and standards equal to that of large organizations. When budget is tight, security suffers. SMEs need to outsource their security program to Managed Security Service Providers (MSSPs) that can offer them affordable service but at best quality. There are many vendors that provide a budget friendly MSSP for SMEs. These MSSP takes care of the operationalization of your basic security needs, with the expertise, procedures, and right technology to manage them. Buying a security product is costly and operating or running the product is even costlier than the product as you will need the right people and environment to manage the product. MSSPs know what your security needs are, the requirement from regulators, compliance, and a better structure to defend and respond to incidents.
Large companies and corporations hire the best talents leaving a budget constrained SME to struggle with hiring. It is very critical that SMEs employ people who have the requisite expertise to help in their security. They are usually understaffed or do not have personnel with the rights expertise to manage security. Security is too delicate and critical to be handled by practitioners who do not have the best industry license or certifications.
There are various MSSP agreements that SMEs can buy into. SMEs can sign training agreements with MSSPs for their small, amateur security teams or even sign a supervisory agreement with MSSPs to assist to manage their SOC. There are Cyber communities and tech bodies that SMEs can also reach out to for assistance at little to no cost.
Building operational capability is a tedious task. Most of the security teams of particularly the SMEs do not have the capability to handle new threats and attacks that are facing the industry. Cyber defense capability is the ability for an organization to successfully prepare, prevent, detect, and respond to cyber-attack. Obviously, capability deficiencies result from lack of expertise and budget constraints.
The capabilities are very complex, and require technical, strategic, and operational abilities of cyber security practitioners to confront a cyber threat. This notion requires the development of strategic tools for active and passive defense and collaboration with other key players.
Influence plays a very paramount role in establishing defense. Disinformation, technological evolution and digitization are major influences on the present threat landscape. Ghana’s digitization agenda will be a major influence in the country’s threat landscape going forward. The type of technology we deploy, the economic and industrial transformation that takes place and the verticals within which rapid digitization takes place will determine what kind of threats we will face. The economic downturn and global recession taking place will have adverse impact on countries. Cyber fraud cases have the tendency to peak due to economic pressures. These threats will come in various dimensions and forms.
There will be influences on network, email, cloud or security service adoption as the threat and vulnerabilities across these platforms and services multiply.
A large majority of SMEs and institutions that play a critical roles are silent because the industry or communities are receptive to the most vocal and most active entities. Businesses that can sponsor security conferences and training. Sadly, companies with the most expertise take the center stage in decision-making.
There’s a large group out there below the SPL that are struggling to deal with these security problems. They’re not really getting the voice that they need, and as a security community we need to try to focus more on helping them solve those problems.
Daniel Kwaku Ntiamoah Addai,
Computer/Cyber security, Digital/Memory/Malware forensics, Forensic Investigation and Audit,
Networking, and an excellent researcher in the field of Information communication and