Security for SMEs and ETIs from a CISO’s point of view

“Hackers are not interested in us! We have always been able to react!”

We often hear these remarks… until one big cyber-attack reminds us of the harsh reality of the cyber fragility of organisations.

We realise that the hacker has been visiting every single system for over 10 months,

and that a “big data chunk” has been leaked, but we cannot tell which one.

And then we discover how much it will cost to take out the hacker and strengthen the walls.

But that’s only if the ETI is lucky… and if it’s not ransomware!

Many think they have already invested a lot in security. However, their subsidiaries faced a serious attack a few months later. Security breaches are everywhere!

The threat is evolving faster than some organisations. Cyber risk has become a major risk for companies.

It may be relevant or acceptable to have a production line for spreads that is obsolete. Cybersecurity-wise, you can’t get away with that.

In 2020: +255% of attack reports (Source: ANSSI)

The lack of awareness of the need for action remains the main obstacle observed by Cyber4U during its security missions in SMEs and ETIs.

“We cannot help someone who does not want to be helped.” Sometimes we have to wait until someone is drowning before they agree to be rescued.

It is indeed difficult for a manager to accept all the cyber expenditure requests from the CIO or CISO.

Security has a cost. It requires a great deal of investment, even though both the risk and the return on investment remain unclear.

In 2021, who can claim to know how effective the security measures and their possible combinations are? Such measures include raising awareness, anti-virus, SIEM/SOC, EDR, hardening of the more sensitive components such as the Active Directory and the workstations, network partitioning, etc.

We now understand why it takes so much time to release a budget. However, the SMEs/ETIs must understand that if they do nothing, or too little, they will remain vulnerable.

It’ is easy for an SME/ETI to not do anything

There is an urgent need to realise that the security in ETIs cannot be handled in the same way as in a large group.

A banking group has hundreds of cybersecurity experts at its disposal. However, in an SME/ETI, the CISO is most facing the rest of the company alone.

The ANSSI advocates allocating 5 to 10% of the IT budget to cybersecurity. We note that the CISO sometimes represents 1% of the human resources of the IT department ‘boat’. In this configuration, they are perceived as a “rower” rather than as a “coxswain”.

This calls for structural changes:

• Reconsidering responsibility sharing. The CISO cannot be solely responsible for the gardens of Versailles and assume all responsibility for it.
• Working on the job grid. No individual has all the skills to raise awareness, communicate, manage, steer, define, build, implement, operate, and monitor the security of an ETI.
• Making cyber a collective project and not a territorial war zone. It is in everyone’s best interest to go beyond the usual divides.

Difficulties are cultural, managerial, financial, technological, etc.

Working on practical responses is essential and must be done quickly.

What should we do when an employee informs us that they have clicked on a link in a suspicious e-mail? Should the station be systematically remastered? Is it already too late? What can be done, practically, to avoid a ransomware attack?

To which arbitration authority should the CISO refer in structures where the governance bodies are not always easy to identify?

How can an SME/ETI obtain the comparative studies of solutions it cannot afford to conduct? Which EDR/AV/SIEM/SOC/WAF… should we choose?

SMEs/ETIs are waiting for help to deal with the 17,000 vulnerabilities discovered each year across all technologies. We have come to accept that it is normal for systems to be so vulnerable or difficult to secure.

How can an SME or an ETI investigate 5,000 vulnerabilities in embedded systems (real life example)?

In addition, SMEs and ETIs are often subcontractors and must meet the cyber requirements of large companies.

Some good news

The key to success lies in the implementation of a collaborative, serious, in-depth, and pragmatic approach, led by a competent CISO, supported and supervised by an attentive and committed management team.

For those who like their stories to end on a reassuring note, there are ten or so fundamentals (cf. suitable guides for SMEs/ETIs), well known to all professionals, that need to be defined, implemented, controlled, and managed.

When we become aware of the difficulties encountered by SMEs/ETIs, we realise that they have a major challenge to meet. This is an almost impossible task for CISOs!

I have come to the conclusion that it is more difficult for an SME/ETI than for the French Pentagon to secure itself. For one simple reason: the Pentagon has been given the necessary resources.