Cybersecurity on a Budget

THE PUSH FOR businesses to adopt new technologies such Cloud Computing and AI are inescapable. Quantum Computing is likely to be the next emerging technology with its own opportunities and challenges. For St. Vincent and the Grenadines, and other CARICOM countries, digital payment solutions, central bank digital currencies, and digital IDs are eminent. The need for small and medium-sized businesses (SMBs) to adopt new and emerging technologies is obvious, the reality is to evolve or go extinct.

October is internationally recognised Cybersecurity Awareness Month, dedicated to raising awareness of the importance of taking daily action to reduce risks when online and using connected devices. This year the focus is on government entities and small and medium businesses. However, let’s take a moment to focus on SMBs, and devise an approach for managing the cybersecurity risks and information security risks on a whole, with a limited budget. To do so, leadership should start by asking themselves a series of questions of what, how, who and which.

What, asks the key question of, “what critical information assets, or ‘crown jewels’ within the organisation are worth protecting the most?” Not a simple question, but this sets the premise of how much may be spent protecting all assets. How, asks, “how those assets will be impacted by any loss of confidentiality, integrity or availability?”

Confidentiality may be impacted by data leakage or disclosure, whether accidentally or intentionally. Integrity may be impacted due to system error, miscalculation, misconfiguration, incorrect user input, or unauthorised changes.

Availability may be impacted due to system error, application/hardware failure, loss of utilities, or an attack using malicious software such as ransomware.

Who, asks, “who is responsible as the source of information security incidents, whether accidental or attacks caused by nature, environmental, staff members, third parties, organised hacking groups, state sponsored hackers, or hacktivists?”

The second who component includes the question of, “who within the organisation takes accountability for protecting critical information assets from?”

Typically, the accountability for information security lies with the Board of Directors and Senior Management.

The third who component includes the questions of, “who within the organisation is charged with the responsibility for protecting the critical information assets, as appointed by the organisation’s leadership?” Those responsible should be persons with a strong understanding of risk management and exclude persons in charge of implementing and managing the technology, due to the risk of self-policing.

“Which” is the last question and takes into consideration all the previous questions, asking, “which risk based, prioritised approach to the answers should the organisation take?” This ensures an adequate level of comfort that critical information assets are protected without unnecessary spending.

A white paper by security firm Mandiant, titled “Security Program Focus by Industry,” provided examples of how companies in the Financial Services sector typically focus their security efforts on security awareness training, host and endpoint protection and incident response.

For Government entities, the focus areas were identity and access management, data protection, security risk management, and incident response. The answers to the questions above will help guide the areas of focus for your organisation. Contributed by: Dwight Robinson Tel: 1-784-434-3406 dwight@securebusiness. systems