The Most Commonly Asked Information Security Questions by SMEs

We put our cybersecurity expert, Tony Giles, Director of Information Security at NSF, in the hot seat to respond to some of the main concerns we hear most from small and medium-sized enterprises as they embark on their information security journey.

The news headlines often bring us stories of high-profile corporate giants who’ve been targeted by cyber-attacks, and the lasting impact they can have. But no organization, big or small, is immune! The importance of Information Security is generally understood. But if you’re an SME with a small team, you may not feel confident in taking the first steps.

We put our cybersecurity expert, Tony Giles, in the hot seat to respond to some of the main concerns we hear most from small and medium-sized enterprises as they embark on their information security journey.

Due to the fast-moving nature of the cybersecurity landscape, Tony is often asked about the latest developments; the latest scams, tools and best practice. Cybersecurity is a topic often associated with the bad press of data breaches and cyber-attacks. So, it was great to hear Tony reflect on some of the good news stories from 2023.

Q: What was your cybersecurity highlight of 2023?

A: In 2023 I was so impressed to see all citizens in Costa Rica being offered information security training, helping to build awareness and a culture of cybersecurity across the entire country. It is this scale of awareness that helps make a huge difference in safeguarding information, be it organizational or personal.

It’s also been encouraging to see Information Security Officers taking a prominent place around boardroom tables, driving conversations around information security at the highest level and elevating its importance.

And when asked about the threats that organizations faced most in 2023, Tony offered the following insights.

Q: Looking back to 2023, what were some of the most common security threats that you saw?

A: Throughout 2023 we saw continued supply chain threats, ever more sophisticated phishing attacks, more simulated spoof pages, and a rise in social engineering (including via phone calls) where potential attackers seek to gain the trust of employees to access an organization’s network. Unpatched networks and vulnerable machines remain commonplace. And insider threats (risks that originate from inside an organization) continue to be an area of focus, particularly for the Department of Defense in the Cybersecurity Maturity Model Certification (CMMC) space.

Because the world of information security is ever-changing, guidelines, requirements and rules evolve too. So it is crucial for organizations of all sizes to stay up to date to ensure they are meeting any requirements specified by their industry sector, customers, or other stakeholders.

Q: What impact do the new SEC cyber rules have on different size organizations?

A: Securities and Exchange Commission (SEC) rules typically applies to large organizations with large supply bases. However, smaller corporations should be getting more familiar with contractual and/or regulatory requirements that apply to them too because they will have some level of access to data. Supply bases are diverse, and some suppliers may be SMEs with more limited personnel and budgets.

Many SMEs recognize the importance of kick-starting their information security journey but may not have the resources of a larger organization to dedicate to it. The team has some great insights and tips to help address this challenge.

Q: What are the first steps we should take to secure our business from cyber threats?

A: This question is very common from SMEs where budgets and resources are limited. But the first step doesn’t have to be daunting. What’s key is it’s achievable.

Firstly, organizations should undertake a risk assessment to identify their risks. This can throw up both digital and physical risks, from password control weaknesses to increasingly sophisticated phishing email scams, to doors being left open. Remember, risks are not always digital. Physical security threats are not always recognized as information security risks, but they certainly can be.

Once you’ve completed your risk assessment you will be able to identify your organization’s areas of weakness. And from here you will be able to design and deploy some form of training for your teams. You can start with the basics and build on this foundation over time. What’s key is that the discussion is started!

And the question of budget is a common concern too.

Q: How can we create an effective information security policy on a limited budget?

A: Not all organizations are audit-ready. We often see this when working with organizations looking to certify to ISO/IEC 27001 Information Security Management. We start with the basic principles, and a statement of applicability.

It’s not necessary to acquire new firewalls or security monitoring tools to get started. Initiating the discussion and raising awareness is the best place to start.

Q: How are small to mid-size companies handling the financial challenges involved in improving their cybersecurity posture? What is a typical budget?

A: The budget will depend on the organization’s abilities.

Our goal at NSF is to make Information Security accessible to all organizations. So in 2023 we launched NSF CyberSecure. The NSF CyberSecure platform provides the first step in a company’s Information Security journey, building a strong foundation based on the key elements of information security. Designed with price-conscious SMEs in mind, it’s available via an annual subscription of just under $1500 and provides an entry point to developing information security policies. It also includes training. It’s self-paced and scales with you.

If you’re looking to work with a customer who contractually requires you to demonstrate a level of information security maturity, NSF CyberSecure provides you with the documentation to support this request.

Where certification to a specific information security management system standard or program is specified, certain grants may be available.

Because resources in SMEs can be stretched, organizational leaders are not always confident they have the bandwidth to focus the time needed on information security and raise the question of outsourcing. Here are Tony’s perspectives on this.

Q: Can we handle our security needs in-house, or do we need to outsource?

A: It’s all about the best organizational fit.

Managed Service Providers (MSPs) can work well for larger organizations, and this is often the case for our bigger clients.

For example, if you have complex and sophisticated networks, your vulnerability assessments will need to take account of this, so working with a MSP can be a good solution.

However, for SMEs, building your own information security policies and executing training on those policies can be perfectly effective.

In my experience those who succeed are those who take ownership of the security culture within an organization. You may seek support in building your policies but cascading them to your teams in a meaningful way is within your gift.

And building on the topic of security culture, our smaller clients often raise the question of cybersecurity training.

Q: How can we train our employees to be aware of cybersecurity threats?

A: There are various ways organizations can create a culture of security and keep information security top of mind.

Phishing tests are one example. Within NSF we’re running a contest right now to see who can report the most accurate phishing emails. We’re leaning on the concept of gamification to generate interest and enthusiasm.

In a similar vein, organizations might consider low tech table top exercises where scenarios can be demonstrated very effectively. For example, you might set your team the task of responding to a scenario where an intruder has gained access to the office during the night shift. You might challenge them to tell you what happens next, who they should approach, do they call security, which supervisor do they inform etc.

Password management and vulnerability assessments are common concerns for smaller and medium-sized companies. Here are some basic observations from Tony on these two important themes.

Q: What are best practices for password management for small organizations?

A: Don’t reuse passwords, change them regularly, make them dynamic, and use a pass phrase. The longer the better!

Multi-factor is best practice, in fact standard practice. If you don’t have this in place, look to implement it. If this isn’t possible, ensure your password change process is as robust as possible. E.g. change passwords every 90, or even every 45 days.

Q: How can we start a vulnerability assessment?

A: A vulnerability assessment is a scan of the network to identify logical or network risks associated with your computer environment, for example, is something unpatched, are there any misconfigured servers or open ports.

There are lots of tools for conducting vulnerability assessments. Start with something simple that will give you an entry point.

Building on the subject of tools, we often hear from organizations who feel they need to invest in tools before they get started.

Q: Do I have to have a cybersecurity system or program developed to benefit from the NSF CyberSecure tool?

A: No! You don’t need anything in place to benefit from the tool. Not all organizations want an audit, so we developed this tool to help them take their first steps, including the training that’s included as part of the NSF CyberSecure package. It’s an economical solution, with no prerequisites and is even available as a free trial initially with support if needed. And if you have pre-existing policies, the tool has a machine learning component that will check them for you, highlighting any missing key elements.

At NSF we want to make Information Security accessible to all organizations. The NSF CyberSecure platform provides the first step in a company’s Information Security journey, building a strong foundation based on the key elements of information security.

Via our platform, organizations can build a security framework that encompasses Information security best practices, which they can customize to their needs.

NSF CyberSecure Offers:

• An intuitive platform that provides real time feedback on your existing policies using Artificial Intelligence (AI) technology
• A policy builder function, which helps generate policies on demand
• A repository for information security policies with robust version control
• A cost-effective annual subscription, with the option of a free trial

Please note that any suggestions made in this article do not constitute consulting and following any of these suggestions is not linked in any way to the granting of certification.