The need for robust cyber security measures is of course not new. All leaders, regardless of industry and company size, have had to deal with the rapidly increasing number of hacker attacks – often in the form of ransomware. But in the new situation, what was a risk management problem now also becomes a compliance problem: suppliers who cannot document satisfactory cyber risk management will lose customers and business opportunities. Therefore, it is no longer a question of whether strengthened cyber security can be a competitive parameter. It is a fact.
Cyber security is not only the IT department's problem.
Leaders are thus now faced with an important task: to understand the new demands and act accordingly, and the starting point for this task is the recognition of three fundamental truths.
1. Cyber security is a leadership responsibility that cannot be delegated to the IT department. Cyber security must be understood as a strategic investment area that affects the entire company. The leadership is tasked with both developing strategies and creating a corresponding corporate culture.
2. This cannot be postponed. There is a real risk of repeating the chaos of the weeks before GDPR came into force in May 2018. Businesses need to demonstrate to their customers that they are a responsible member of their supply chains, and this is a time-consuming process that requires a whole new overview of the company's organisational structure. This implies that management obtains a detailed overview of their IT infrastructure, who has access to which network and how corresponding risks are monitored and mitigated.
3. Cyber security is very much a supply chain issue, and this truth applies to both critical and non-critical companies. Leaders must therefore take a close look at their own suppliers, especially those with direct access to their network or data. The ransomware attack against the hosting provider AzeroCloud is one among many examples that show how insufficient cyber security measures among suppliers can be life-threatening for companies, especially SMEs like in this case Chili Klaus.
What then needs to be done? The biggest challenge is to upgrade cyber security on often quite limited budgets. It requires smart decisions and prioritisation. Leaders must therefore acquire a minimum understanding of cyber security. The board association's establishment of a center for cyber competences is an important step on the way and can become a valuable resource for leaders.
Need for guidelines However, it remains a major problem that existing cybersecurity standards and guidelines are typically targeted at large enterprises, which do not reflect the realities of SMEs. It is thus not surprising that a study by Aalborg University's Torben Elgaard Jensen and Laura Kocksch shows that SMEs' approach to cyber security is often characterised by pragmatism, lack of knowledge and patchwork solutions.