Shortcut: Get started right away !
Actually, you want to be sure of three things:
- That no one can view or read your most important business data >confidentialiteit
- That the processes and data in your systems are accurate and traceable> integriteit
- hat the applications and data are there when you need them >beschikbaarheid
In itself, this is still very simple, but these basic requirements are threatened by potential dangers that can disrupt this security. And you hear a lot about these dangers in the press and advertisements. The goal is to scare you about mysterious hackers who will become a cyber disaster for your company. The hope of all these doomsayers is to frighten you so that you buy their solution and get an illusion of security that lets you sleep soundly again. Fear is a bad advisor.
Let me first debunk a few marketing myths about information security:
- Cybersecurity is not a hype du jour that will disappear soon and in which you should not invest too much time. Just as it is certain that we will all eventually die and have to pay taxes, keeping our digital life secure will always remain important and on the agenda. Just as you have to submit your VAT declaration or organize workplace prevention, you will also have to get your cybersecurity in order.
- There is no one who can offer you a magical solution that allows you to get this in order without effort, no matter how many euros you transfer to their bank account, how impressive the marketing is, or how many lights are on the box they sell to you. You can seek a partner to help you with your security or parts of it, but you will have to be the driver of your cybersecurity yourself.
- Last but not least: absolute security does not exist. There is no one who can offer you a 100% guarantee. Therefore, it is also very important to plan for when things go wrong, so that you can react correctly at that moment, limit the damage, and quickly get back to work. Intelligent companies do not plan so much only for cybersecurity but also strive to be cyber resilient. Cyber resilience is how well an organization can handle a cyber attack and how quickly it can function normally again afterward. And there is one certainty: you will be attacked and sometimes these attacks will be successful.
Nice blah blah and theory, but how do you actually put that into practice?
The very first, boring task is to make an inventory. An overview of everything you have within your organization in terms of devices, infrastructure, applications, processes, and data. Because if you don’t know what you all have, how can you ever secure it? So grab a sheet of paper (or an Excel sheet) and start listing as much information as possible. The second important step is to list what you must comply with as minimum requirements:
- Legal requirements: the EU privacy legislation GDPR, the NIS2 stricter cyber rules, the Cyber Resilience Act in general, and specific requirements that your type of business or vertical in particular must comply with.
- Contractual requirements: what have you contractually promised to your customers? What agreements have you made with them?
- Desirable requirements: what does your organization itself expect as minimum requirements regarding, for example, the availability of applications.
Based on these inventories, you can then conduct a risk analysis.
In the world of cybersecurity, we don’t talk so much about dangers but about risks. It is very important to understand what these risks are. Simply explained, a risk is a problem (it doesn’t even have to be an attack as such but can, for example, also be a power outage or a fire) that has a certain impact on the functioning of your organization. The second important question is how likely it is that this problem will occur. Risk can therefore be calculated by multiplying the impact by the probability that it will occur. An example: the chance that you get a virus somewhere is very high, the impact of this can be large, so that is a big risk. The chance that a superstorm comes in the North Sea that floods Zeeland and West Flanders is once every 17,000 years, the impact is enormous but because this has a small chance, the risk is very small.
Once you know the risks, you can take actions to prevent them, limit the impact, pass them on to others, or you can simply accept them. By taking these measures, you can limit the risk and the impact.
Now you are not going to eliminate those risks all at once, but it forms the basis of an information security plan that you will implement step by step and document as much as possible. Without a written, documented plan, it remains mainly good intentions.
In that plan, there are a lot of ways in which you will tackle all this:
- With all kinds of technical or practical solutions
- On paper with policies, good procedures and good (contractual) agreements
- With additional measures such as cyber risk insurance
Afterwards, this becomes a permanent process in which you as an SME will monitor the cyber resilience / security of your organization in an eternal circle of information security. Often, the Deming Circle is used for this. Better known as P(lan)D(o)C(heck)A(ct), it is a bit of common sense packaged as expensive consultant talk from integrated quality management.
Get started yourself with our help!
Fortunately, you don’t have to start from scratch without a foundation or help. There is a lot of material available online with sample documents, sample plans, Excel sheets, etc.
The EU has also understood that this will be a challenge for SMEs and has given a consortium of EU companies the necessary resources to help SMEs get up to speed. With CYSSME, we have developed a complete improvement programme for SMEs to get your SME up to speed, with the support of the EU.
This starts with two (self-)evaluations where you can assess your position against two lists of basic requirements. You can do this yourself for free online via this link.