In today’s world with cyber attacks hitting the headlines daily, cybersecurity is at the forefront of many business owners’ minds, but implementing the right solutions and knowing what to do to reduce your risk is a big challenge for decision makers in these organizations. The task is even harder for small- to medium-sized businesses (SMB) that tend to lack extensive budgets and resources needed for implementing the most effective and high-brow cybersecurity solutions on the market.
U.S. and UK authorities are acutely aware of the cyber problems facing every modern-day business and how, contrary to popular belief, they can affect organizations of all sizes and industries. Small businesses are not meaningless to cyber criminals, and quite often, they are the subject of attack—if only to gain a foothold into a supply chain so they can access larger enterprises.
These attacks can be devastating for SMBs, with studies finding that 60% of small organizations go out of business within six months of a successful cyber breach. This means SMBs must start treating cybersecurity as a priority and conducting the right kind of risk analyses to confirm they are investing in the most cost-effective solutions that work for their business.
What Are Cybersecurity Standards?
The cyber sector is now full of many different standards and certifications for businesses to achieve in relation to cybersecurity and information security. These standards are put forth to offer businesses a set of techniques, controls, and processes that they can implement in order to achieve and maintain a certain level of security.
By declaring that they are in line with the chosen security standard, businesses can demonstrate much higher credibility when faced with stakeholders, insurance providers, potential clients, and potential partners. This is just one of many benefits that come with achieving standards.
There are plenty of frameworks and standards to choose from, some more suited to enterprise-level and others a good starting point for SMBs that are just beginning their cybersecurity journey.
General Data Protection Regulation (GDPR)
GDPR is the European Union’s framework for data protection, and since 2018, it has been mandatory for all European businesses that process and handle data. There is no mandatory certification for GDPR, yet compliance is demonstrably possible.
Businesses can prove compliance with GDPR by documenting all data processing activities; implementing data protection measures such as policies, training and audits; and, where possible, appointing a Data Protection Officer (DPO). The Information Commissioner’s Office (ICO) will look to these. If a GDPR breach is suspected and if there is failure to comply, businesses can be liable to hefty fines of up to 4% of annual turnover.
It is worth noting that following Brexit, the UK is no longer regulated domestically by GDPR. Instead, it has its own version, known as the UK-GDPR, which sits alongside an amended Data Protection Act 2018.
The UK Government’s Cyber Essentials scheme was developed in 2014 to give small- to medium-sized businesses a simple and affordable way of achieving a good standard of cybersecurity. Consisting of five critical technical controls, Cyber Essentials can help businesses protect against 80% of common cyber attacks.
There are two levels of certification: Basic, which allows an organization to complete an online self-assessment to review and attest to their compliance; and Plus, which involves a qualified assessor carrying out a technical audit on your systems to verify alignment to the standard’s controls.
ISO 27000 Series
The ISO (International Organization for Standardization) standards are internationally recognized, covering a variety of cybersecurity techniques and best practices. The most well-known and sought after standard by businesses, ISO 27001, lists the requirements for a high-level Information Security Management System.
Creating a well-established Information Security Management System helps businesses of all sizes and sectors minimize information security and privacy risks by developing effective risk management processes and policies. Achieving this certification also helps businesses demonstrate compliance with data protection regulations like UK-GDPR alongside DPA2018.
The Cybersecurity Framework offered by the National Institute of Standards and Technology (NIST) offers guidance to all organizations, helping them strive towards a high level of cybersecurity and resiliency. NIST’s framework is conveniently categorized into five core branches: Identify, Protect, Detect, Respond, and Recover. By aligning policies and processes within these functions, businesses can demonstrate their proficiency for identifying and addressing cyber risks.
Certain standards are targeted towards a particular industry. For example, the Health Insurance Portability and Accountability Act (HIPAA) represents the standard for patient data protection within healthcare organizations, particularly in the USA.
Passed in 1996 as a United States legislation, HIPAA requires all in the sector to comply with the physical and cybersecurity measures outlined by the standard, with failure to do so resulting in fines which can be very costly for these organizations. According to HIPAA enforcers, in 2019, the average financial penalty was more than $1.2m.
Why Are These Standards Important?
There are obvious benefits to businesses that meet these standards; to do so requires actively implementing the necessary measures, processes, and policies for an improved security posture. This in turn reduces the chance of a business getting breached, and if this does occur, it ensures that the business will be fully prepared with incident response and business continuity plans to minimize the damages.
Standards and certifications are also a way of directly communicating with clients, stakeholders, suppliers, partners, and any other organizations you work with or intend to work with that your business takes cybersecurity and data protection very seriously and that it has taken important steps to demonstrate this. Many businesses that achieve certification or align with these recognized frameworks often find an increase in new business opportunities or eligibility for certain contracts that require these standards to be met. It can also help when applying for cyber insurance, as it provides evidence of cybersecurity efforts, likely reducing insurance premiums.
Aligning with formal security standards is a great way for businesses to properly structure their approach to cybersecurity and, in many cases, receive recognition of these efforts in the form of a certification. For the SMB that may be more stretched in terms of budgets and resources, achieving these standards is an affordable way of improving security without having to invest in highly sophisticated cybersecurity products and services.
Using standards to lay the foundations of your business's cybersecurity strategy allows you to better understand what your business’ needs are and utilize the correct solutions to protect against your identified risks. Not only does this save money by reducing the purchase of inappropriate or irrelevant products and solutions, it also ensures you have a framework to base any future security decisions upon and that any investment is going to deliver a measurable outcome.
About the Author: Clive Madders is CTO and Chief Assessor at Cyber Tec Security, and he works directly with businesses going through the Cyber Essentials certification process. With over 25 years of experience in the cybersecurity industry, he has built up an extensive repertoire, delivering managed ICT support services, Cyber Essentials certifications, and advanced security solutions to help improve the cybersecurity maturity of businesses across the UK.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.