Are Only 20% of Small to Mid-Size Organisations Cyber-Secure?

Earlier this week, I presented to 120 COOs at their annual gathering on Cybersecurity. 

As part of my keynote, I ask everyone to stand and slowly sit as I work through seven key categories of cyber for every organisation. 

Are Only 20% of Small to Mid-Size Organisations Cyber-Secure?

I was somewhat surprised to see only 20% of the room standing around five, less for six and seven of the below criteria.

Threat Identification and Protection

Organisations use comprehensive cybersecurity programs with tools like antivirus software, firewalls, intrusion detection/prevention systems (IDS/IPS), and security information and event management (SIEM) systems to identify and protect against threats.

Cybersecurity Policies

A robust cybersecurity policy covers:

- Disaster Recovery Planning - Procedures for IT service continuity post-catastrophe.

- Customer Data Privacy - Protecting customer data per regulations (e.g., GDPR, CCPA).

- Access Controls - Restricting access to sensitive data using role-based access control (RBAC) and multi-factor authentication (MFA).

Restricting User Access

Access is restricted via;

- RBAC - Access based on user roles.

- Least Privilege Principle - Minimum access needed for job functions.

- MFA - Multiple methods to verify identity.

- Regular Audits - Periodic review of access rights.

Chief Information Security Officer (CISO)

A CISO oversees cybersecurity strategy, incident response, compliance, and security operations. If no CISO, senior IT staff or security team member handles these tasks.

Qualified Personnel

- Certification and Training - Professionals hold certifications like CISSP, CISM, CEH.

- Continuous Learning - Ongoing training to stay updated.

- Sufficient Staffing - Ensuring skilled personnel are available 24/7.

Reporting Cybersecurity Incidents 

Organisations have procedures to report incidents:

- Internal Reporting - Security team and senior management.

- External Reporting - Regulatory bodies, law enforcement, and stakeholders as required by law.

Incident Response Plan 

An incident response plan includes -

- Preparation - Defining roles, responsibilities, and communication protocols.

- Identification - Detecting and understanding incidents.

- Containment - Limiting incident impact.

- Eradication - Removing the incident cause.

- Recovery - Restoring system functionality.

- Lessons Learned - Analysing to improve future responses.

Cybercriminals are targeting smaller organisations due to their lack of cyber maturity, and these organisations need help.

I think they can be helped in industry cohorts, being several organisations in a location or similar in size. 

If you are forming a cohort, feel free to contact me to see how I can help.