The need for robust cyber security measures is of course not new. All managers, regardless of industry and company size, have had to deal with the rapidly increasing number of hacker attacks – often in the form of ransomware. But in the new situation, the need for operational risk management will be equated with a need for compliance: suppliers who cannot document satisfactory cyber risk management will lose customers and business opportunities. Therefore, it is no longer a question of whether strengthened cyber security can be a competitive parameter. It is a fact.
Cyber security is not only the IT department's problem.
Managers are thus now faced with an important task: to understand and act considering the new demands, and the starting point for this task is the recognition of three fundamental truths.
1. Cyber security is a management responsibility that cannot be delegated to the IT department. Cyber security must be understood as a strategic investment area that affects the entire company. The management is tasked with both developing strategies and creating a corresponding corporate culture.
2. This cannot be postponed. There is a real risk of repeating the chaos of the weeks before GDPR came into force in May 2018. Businesses need to demonstrate to their customers that they are a responsible member of their supply chains, and this is a time-consuming process that requires a whole new overview of the company's organisational structure. This implies that management obtains a detailed overview of their IT infrastructure, who has access and how corresponding risks are enforced.
3. Cyber security is very much a supply chain issue, and this truth applies to both critical and non-critical companies. Managers must therefore take a close look at their own suppliers, especially those with direct access to their network or data. The ransomware attack against the hosting provider Azerocloud in August is one among many examples that show how insufficient cyber security measures among suppliers can be life-threatening for companies, especially SMEs like in this case Chili Klaus.
What then needs to be done? The biggest challenge is to upgrade cyber security on often quite limited budgets. It requires smart decisions and prioritisation. Managers must therefore acquire a minimum understanding of cyber security. The board association's establishment of a center for cyber competences is an important step on the way and can become a valuable resource for managers.
Need for guidelines
However, it remains a major problem that existing cybersecurity standards and guidelines are typically targeted at large enterprises, which do not reflect the realities of SMEs. It is thus not surprising that a study by Aalborg University's Torben Elgaard Jensen and Laura Kocksch shows that SMEs' work with cyber security is often characterised by pragmatism, lack of knowledge and patchwork solutions.