Cybercrime has been on the rise for years, with 48% of companies reporting a cyber attack in 2022 (source: Hiscox Cyber Readiness Report 2022). As a result, many businesses are taking proactive measures to protect their sensitive information, intellectual property, and customer data. However, for small and medium-sized enterprises (SMEs), it can be difficult to know when and where to start with cyber security. Obviously, creating a viable product and capturing a market share come first.

Where then does cyber security come into play? And compliance?

In this article, we provide a practical overview of the journey that businesses go through in terms of cyber security, helping SMEs identify where they are and what signs to look for to determine when it’s time to move to the next stage. This includes deciding when to pursue a certification like ISO27001 or obtain cyber security insurance.

Stage 1: Informal measures

Most SMEs recognize the need for information security, and many have basic security controls in place, even if unconsciously.

For example; User credentials are kept personal and multi-factor authentication is enforced on critical services. When cloud services are used, they are configured with default security settings, which already offer protection to a multitude of security threats. And an e-mail service may be configured with the out of the box phishing protection measures.

However, there may be no formal documentation or policies to describe which measures are needed, when to execute them, or who is responsible. As a result, these measures may not be applied consistently, or operate effectively.

Stage 2: Implementing an ISMS

The next stage is establishing a formal information security management system (ISMS), driven by an intrinsic motivation to ’get it right’ or external factors such as customer demands, licensing requirements, or security breaches.

This involves documenting policies and procedures, and implementing and executing consistent measures. Risk assessments help to detect gaps and unmitigated information security risks. New measures may be needed to mitigate these risks.

However, even an effective information security management system (ISMS) may not be resilient to changing business needs and emerging threats if it does not evolve with the organisation.

Stage 3: Business as usual

In this stage safeguards are developed to prevent the ISMS growing apart from the business, causing duplications and other inefficiencies, and loss of speed and agility. This involves implementing procedures to identifying new or evolved risks, but also waste of valuable resources and loss of business agility, if measures are executed ‘on top of’ the business process.

In this stage continuous monitoring and automation of activities are indispensable to get to the final stage where security controls are continuously monitored and optimized to meet changing business needs and emerging threats.

Cyber Insurance

Many companies are opting to secure cyber security insurance during the initial stages of development. This has been a reasonable decision for some time, as cyber security can alleviate the financial consequences of security breaches or other failures, which are likely to occur given the existence of security vulnerabilities.

However, due to several high-profile hacks, insurance providers have become more cautious in their approach. Premiums have risen, and insurance terms have been updated to reflect these scenarios. In order to qualify for insurance coverage, insurance companies have increased their onboarding due diligence by mandating a larger set of ISMS elements to be established.

Therefore, it is recommended to first implement an ISMS and then acquire cyber insurance to transfer the residual risk of unforeseen events to a third-party insurer.

ISO27001 certification

ISO 27001 is a globally recognized standard for managing information security. An organization must prove that it has successfully established an ISMS that complies with the standard’s requirements to obtain certification. An accredited certification body performs an audit to verify that the organization has implemented appropriate policies, procedures, and measures to meet the requirements.

While some organizations believe that they must have a flawless ISMS to receive certification, this is not accurate. In fact, the certification process requires management to identify gaps and communicate plans to address them.

And this makes it all the more interesting to start the process early. ISO 27001 is a valuable credential and proof to demonstrate to customers, partners, and other stakeholders that the organization takes information security seriously and has implemented a system to protect their sensitive information and assets.

Fast-tracking your ISMS

The implementation of an ISMS may take anywhere from 2 months to 2 years. This depends on the complexity of the organisation, but in SMEs it is more likely and common that it suffers from a lack a resources, expertise, and focus.

However, more and more organisations are discovering that it is also possible to fast-track the process by using a platform like Tidal Control which has an instant ISMS, with access to proven documentation templates, list of concrete tasks to work on, and automated evidence collectors.

Tidal Control is specifically geared for SMEs: It keeps the process simple, offers templates without fluff, and delivers real-time reports to help you track tasks to completion. Lastly, our experts are always by your side to make sure you get an ISMS that fits like a glove.

And this makes it all the more interesting to start the process early. ISO 27001 is a valuable credential and proof to demonstrate to customers, partners, and other stakeholders that the organization takes information security seriously and has implemented a system to protect their sensitive information and assets.

Conclusion

Cybersecurity is a critical aspect of any SME’s business strategy. With the increasing number of cyber threats and attacks, SMEs need to think about measures to protect their sensitive information, intellectual property, and customer data. But choosing the right approach depends on several factors, such as budget, risk appetite, regulatory requirements, and expertise available in the company.

Nevertheless, it often pays off to ‘get things right’ from the start and implement an ISMS, because it unlocks favourable insurance terms and builds trust with customers, investors, regulators, and other stakeholders.

Compliance automation platforms like Tidal Control can help fast-track the process and reduce workload significantly by providing expertise, documentation, evidence collection, and project management.

- Written by Dennis van de Wiel, Founder