How much security is enough?

How much security is enough?
(Image credit: Shutterstock)

The world of cybersecurity can be confusing. Organizations learn about new threats they need to protect against all the time. Cisco’s Talos cyber threat research group alone identified almost one new vulnerability per day in 2019. Organisations might have dozens of security products installed, but they may feel overwhelmed by false alarms and endless maintenance. And chances are, they may still find themselves victim to phishing attempts, data breaches or ransomware attacks.

All companies have to balance the level of risk they’re comfortable with, against the resources they have to hand to protect themselves. This is especially pertinent in the SMB sector. For these organisations, with their limited resources, playing to their strengths in being able to think and move quickly can be an advantage in tackling and preparing for security threats. Knowing what good preventative security work looks like, and being able to do it, can have more of an impact than getting bogged down in the alerts generated by a whole suite of poorly configured security products.

Higher level thinking

The vast majority (95%) of security professionals surveyed in Cisco’s recent research said they can identify which data and systems within their organisation require the highest levels of protection. However, over half of them also said they’d experienced a significant security event in the past year, whether a breach, intrusion or malware infection. Having a grasp of the priorities is one thing but turning that into a successful course of prevention is another.

SMBs can start with taking stock of where data is and how it’s being shared, whether it’s account records or customer data. One resource that can help in this journey is the Government-endorsed Cyber Essentials & Cyber Essentials Plus assessments. Once these flows are mapped, they can start getting control over changes to systems and resources in a more organised way – so that those who need to access can do so, and others are kept out.

Doing this in a thorough way comes from developing this understanding further. Having deep expertise and the influence to push action through can be just as important as larger budgets. After all, one can’t happen without the other.

There’s still a lot of progress to be made in building these skills. Global research from the Center for Strategic and International Studies, for instance, found 82% of employers report a shortage of cybersecurity skills, with 71% believing this talent gap causes direct and measurable damage to their organisations.

This dearth of skills is also borne out by looking at who people within organisations turn to for expertise. Only 37% of respondents to Cisco’s survey felt they rely on internal staff for security know-how – almost as many (28%) as those that rely on professional networks. As organizations recognize the need for more cyber skills, help is out there. 

The Cisco Net Academy is one example for cybersecurity courses, and over the last 20 years we’ve been running the program, we’ve trained more than 8 million students across 180 countries. Whether it’s encouraging young people to consider technology careers or giving the critical introductions to tech topics like cybersecurity that everyone in the workforce can benefit from, it all helps develop the talent we’ll need to tackle this challenge.

Not just an ‘add-on’

For smaller organisations, they may well often lack any specific IT support at all, and so the skills gap can go much deeper than just security. In these situations, tackling this effectively can only come about through a group effort. Banding together and pooling resources, for instance, can help bring in the IT capability many smaller organisations don’t have. Seeing cybersecurity less as an ‘add-on’ to IT infrastructure, and instead vital to protecting everyone’s interests, is also important. Security is increasingly as much a business conversation as it is a technical one when a successful cyberattack could put an organisation entirely out of operation. It’s not something leaders can afford to ignore.

Building capabilities to execute is the other element in effective security. The more products in play, the more information there is to have to connect. Thinking about security in a more holistic way, and not just pillar-by-pillar, is one way SMBs can make the most of limited resources – reducing the cost, overlap and IT management time required. Automating routine tasks can also be very useful in freeing up time for small teams to focus on bigger priorities.

As the saying goes, knowledge is power. Budget is one part of the equation, but organisations also need to remember that there are other factors in play. By working with peers, sharing knowledge, and building their influence, they can begin to grow their security confidence.

Mark Weir is the director for Cyber Security, Cisco UK & Ireland. Mark has over 25 years of IT experience, last 13 years of this spent leading teams within Hyper Growth companies in the Cyber Security space. Prior to that Mark worked extensively in the Datacentre & Applications world which give him a unique cross industry view of IT.