The Small and Medium-sized Enterprises (SME) sector may not match large enterprises in scale of operations, but they are just as susceptible, or more, to cyberattacks:

• 54% of SMEs in the UK have experienced a cyberattack
• The majority of ransomware victims in Singapore were SMEs
• 43% of cyberattacks target SMEs in India and 60% of such victims go out of business within 6 months
• SME employees experience more than twice the number of cyberthreats compared to users at large enterprises

Why Do Threat Actors Target SMEs more than Large Enterprises?

All digitally-enabled enterprises, irrespective of their scale of operations, are vulnerable to cyberattacks as digital infrastructure forms the backbone of their business; they connect to the outside world using the internet; and their operations depend on accessing, analysing, and archiving large volumes of data. SMEs, however, may not have the digital defences of large enterprises to prevent cyberattacks, and may be more likely to pay a ransom quickly as their resilience and capacity to withstand downtime is limited.

Cyberattackers therefore, increasingly target SMEs as their attacks are more likely to be successful and financially rewarding. As a consequence, SMEs will have to adopt the cybersecurity approach of large enterprises as they face the same risk.

How Large Enterprises Stop Cyberattacks

While large enterprises undoubtedly have the resources to deploy many cybersecurity solutions employing sophisticated technology to defend their operations, the critical differentiator is the Chief Information Security Officer (CISO) who is appointed by large organisations but is usually not found in SMEs. Technology solutions that are appropriate for SMEs are available, but the insight and leadership provided by a CISO cannot be replaced by a suite of products.

How Large Enterprises Benefit from CISOs

The CISO is the cybersecurity leader for the entire organisation. While the Chief Information Officer (CIO) is responsible for the IT infrastructure, the CISO is responsible for maintaining the digital security of the enterprise which extends beyond IT e.g., the CISO will work with HR to ensure that new hires are adequately vetted to avoid cybersecurity concerns.

The responsibilities of a CISO include

1. Assessing the gap between the organisation’s current and required cybersecurity posture
2. Formulating the cybersecurity strategy
3. Creating a cybersecurity roadmap that aligns with the enterprise’s growth strategy
4. Developing cybersecurity policies, procedures, and standards
5. Framing a cybersecurity budget
6. Engaging with the Board, investors, and other stakeholders on cybersecurity matters
7. Developing hard and soft cybersecurity infrastructure
8. Identifying and managing cybersecurity solution vendors
9. Ensuring compliance with relevant cybersecurity regulations
10. Assessing and initiating cybersecurity training requirements

All the above would benefit SMEs as well, which is why they should have CISOs – but they face several challenges when appointing cybersecurity leaders.

Why SMEs Don’t Appoint CISOs

Despite the many benefits of appointing a CISO, many SMEs do not have a CISO in their leadership team because

1. SMEs may find it difficult to budget for the remuneration of a good CISO as they are actively recruited by large enterprises
2. The shortage of cybersecurity professionals makes recruiting CISOs time consuming and expensive
3. Retaining CISOs can be challenging due to the high demand for their services

SMEs can overcome these challenges by appointing a vCISO.

How vCISOs Benefit SMEs

The vCISO (virtual CISO) is an outsourced cybersecurity expert who provides security leadership on an as-needed, on-call basis. The vCISO overcomes the challenges faced by SMEs in appointing a CISO as

1. SMEs don’t need a full-time CISO and the vCISO serves multiple organisations. SMEs gain CISO services at a fraction of the cost of a full-time CISO, as the cost of a vCISO is spread across several businesses
2. Vendors who offer vCISO services can immediately provide a vCISO to a client, eliminating the time and cost of recruiting a CISO
3. SMEs do not need to worry about retaining CISOs, and vendors are able to retain the vCISOs they recruit as they can offer competitive remuneration and a stimulating work environment

SMEs also benefit from vCISOs serving multiple clients as vCISOs have exposure to a wide variety of industries and regulatory environments, enabling them to anticipate the SME’s cybersecurity and compliance requirements as the SME’s business evolves. The vCISO delivers cyber defences customised to suit the SME’s requirements and budget, helping the SME avoid ineffective and expensive cybersecurity solutions.

What SMEs Should Look For in a vCISO

A vCISO needs a basket of skills to be effective in their role, combining technical and managerial acumen with the agility to work with multiple clients simultaneously. When evaluating a prospective vCISO, the SME should look for:

1. Cybersecurity Expertise – The vCISO should be an expert at the technical aspects of enterprise cybersecurity with a track record of effectively managing cybersecurity risk, framing cybersecurity policies, implementing disaster recovery measures, aligning the People, Process, Technology framework with cybersecurity best practices, and advising businesses on digital governance
2. Regulatory Familiarity – Compliance is a critical part of the modern enterprise’s cybersecurity posture, due to stringent penalties for violations. The SME should assess the vCISO’s familiarity with the regulations that apply to their business e.g., a healthcare provider in Abu Dhabi should ensure their vCISO is familiar with ADHICS. SMEs that operate in multiple regions, or serve clients with operations in several regions, should seek vCISOs with multi-jurisdictional expertise
3. Board Interaction – The vCISO should be able to frame the organisation’s cybersecurity strategy and advocate for cybersecurity with the Board and other C-suite members. Persuasive communication, with the ability to understand the concerns of a wide variety of stakeholders, is required for the effective discharge of a vCISO’s duties
4. Affiliation – The vCISO should be affiliated with a reputed cybersecurity provider and have extensive networks with vendors to be able to quickly improve the SME’s cybersecurity posture by deploying required cybersecurity solutions
5. Multi-client Expertise – The vCISO should have consulting experience or exposure to other environments that require working with multiple clients who have varying budgets and operational requirements

K7 Security provides comprehensive enterprise cybersecurity products and services, including vCISO services, supporting any scale of operations. Contact Us to learn more about how we can help you protect your enterprise operations with robust cybersecurity customised to suit your requirements.