Every day, in every corner of the world, at every minute, small- and medium-sized enterprises (SMEs) are opening up stores, serving clients, delighting customers (or not). And while the classic SME picture may be the storefront, SME reality means constant commerce, updating web presences to buy, sell and service everything; work that begins before dawn and ends long after night has fallen.
While precise measurements are difficult due to differing definitions of SMEs, research by the World Bank has indicated that these vital enterprises employ more than half of all private sector workers globally, and can comprise more than 90% of all the world’s existing businesses. In the United States alone, the U.S. Small Business Administration has estimated that the number of SMEs currently operating in America exceeds 28 million firms.
These entrepreneurs and service sector employees share common characteristics—incredible dedication, a belief that what they do is valued by their communities, and the hope that their hard work will adequately provide for their families, and their families’ futures.
Regrettably, however, many SMEs have something else in common—minimal or nonexistent protection from cyber threats and attacks.
Effective cybersecurity is paramount to the success of any business, regardless of size, as it pursues growth and prosperity within a global and increasingly digital marketplace. According to global estimates released by security company Symantec, spear-phishing attacks against SMEs have more than doubled in only a few brief years, rising from 18% in 2011 to 43% in 2015.
For some SMEs, though, this digital economy brings with it some difficult choices. A number of SMEs around the world find themselves in the unwelcome situation of being forced to choose between incorporating adequate cybersecurity into the digital and wireless aspects of their business, or not doing so. All too often, due to business or personal factors, SMEs choose the latter.
This may not be possible in the future. As our digital economy evolves, a lack of cybersecurity for an SME poses increasing risk. Cyber insurance, available and in use by larger-scale organizations, should be more of an option for, and optimized by, SMEs. More direct impacts, such as breaches of an SME’s digital infrastructure leading to the release of financial or personal information, or attacks that create a back door into another company, will have consequences. Minimally, this hurts reputations and relationships, as customers and vendors think twice before patronizing the SME again. On the other side of the spectrum, the business does not recover, and is shuttered. None of this bodes well for SMEs that lack effective and robust cybersecurity.
There are efforts underway to address this. New Jersey’s recently appointed CTO, David Weinstein, is creating a resource for New Jersey’s SMEs to keep abreast of developments in both cybersecurity and the threat landscape, an effort that complements the ongoing cybersecurity education efforts of the U.S. Small Business Administration. We see an increasing number of Information Sharing and Analysis Centers (ISACs) in the United States making similar resources available to SMEs within their respective industries. In the European Union, ENISA is leading efforts to ensure that the knowledge gleaned from ISACs finds its way to the SME community as well. All of these efforts are commendable, for they provide SMEs with valuable tools to aid them in ensuring the cybersecurity of their digital businesses.
Yet, these efforts have not and will not reach every SME. Leaving one business or agency behind in the quest for greater cybersecurity for their digital enterprise efforts is unacceptable. The aforementioned efforts, already underway, must be built upon. Chambers of Commerce at the local, regional and national levels must begin to offer resources to secure the digital business of SMEs. More ISACs need to become involved. Governments, at all levels, need to find additional ways to create and support efforts that will aid in securing the digital futures of SMEs.
ISACA’s global community must do its part, as well. We know some ISACA chapters have begun outreach to local SMEs. This is excellent and to be commended—but efforts must grow. We urge all ISACA chapters reach out to local, regional and national SME-focused organizations, and to partner in efforts to increase and enhance cybersecurity within this crucial sector of the digital economy.
Likewise, we urge our colleagues within the NGO community to engage in similar efforts; and we pledge to help you with subject-matter expertise, tools and experience. Several NGOs have already taken steps to aid the SME community, all admirable efforts. Taken in sum, the NGO cybersecurity community has presences in nearly every nation in the world; our non-profit sector has an opportunity to effect global, positive change within the SME sector, as well as within the wider international digital marketplace.
It is incumbent, upon all of us within ISACA and with the wider NGO community, to share our expertise with the SME community. Enterprises of all sizes can and will benefit markedly from this interaction, and will be further empowered to realize the positive potential of technology, and reap the benefits of security in our evolving global digital economy.
Matthew S. Loeb, CGEIT, FASAE, CAE, Chief Executive Officer of ISACA
[ISACA Now Blog]