I have been thinking for months about the latest challenges faced by organizations with regards to the increased cybersecurity risks, what is at stake, how unprepared they are, and how the cyber insurance companies are responding to the changing landscape.
As I have had conversations with business decisions makers, they often think that they have little to risk. Many businesses feel that they are not under much if any regulatory framework that requires them to take action. It seems that each week I see another cybersecurity insurance risk assessment questionnaire that nearly every organization will fail. Compliance frameworks are incomplete and horrifically confusing.
There is no compliance framework that will get you the fundamentals. There is no security control framework that tells you how to have effective network layer security. The gap between guidance and successful execution is wide.
It occurs to me that the only real defense for small and medium businesses are organizations like QPC which have virtual information security officers and full remediation services on offer backed by ongoing management. There are plenty of penetration testers or those that will sell you MDR services. Execution of fundamentals is where it is at. There is little value in pursuing the frameworks until you have addressed the fundamentals. After you have the fundamentals in place, then review your status against frameworks and you will probably find that many items have already been addressed.
Regardless, I'm always on the hunt for helping the SMB organization leader. It occurs to me that no matter what data you think you have a risk or don't at risk, there is one thing you don't have which is at risk. Listen to the show to find out the real reason you cannot afford to have a cybersecurity incident.
Updated on 8/8/2021
I saw this great article today on this topic and decided to include it.
I will warn that their documented risk mitigations measures are H.S.
And check out this excellent article on more reasons why you cannot afford to be hacked.