The cybersecurity gap between large enterprises and small to medium businesses (SMBs) is getting smaller, according to a recent report from the Australian Securities and Investments Commission (ASIC).
The report, titled Cyber resilience of firms in Australia’s financial markets: 2020–21 (pdf), shows that the cyber resilience of SMBs increased 6.4 percent over the previous cycle (2018-19) while large enterprises’ cyber confidence dropped 3.4 percent.
The report stated this is “due to the complexity of large firms, the breadth of services they offer, and the increase in cyber intrusions” and added that larger enterprises cyber resilience remains stronger overall.
“SMBs are now taking cybersecurity very seriously. There have been a few forces driving this change”, Dane Meah, co-founder and board member of Fast50 #45 InfoTrust, told CRN.
“The first is pressure from the Board, who are seeing the importance of taking a proactive approach to avoid a major cyber incidence. The second is regulatory pressure, for example, with APRA CPS-234 there is a requirement for the supply chain to the financial sector to comply with certain standards of security. This supply chain is vast and wide and includes a lot of SME’s. Lastly, businesses that have experienced a cyber incident are doubling down on their investment in cyber,” he said.
Reflecting Meah’s perspective, the report found that while supply chain risk management showed little improvement since the previous cycle, it had the highest target improvement of any area covered, at 19.4 percent.
Wayne Tufek, director of Fast50 #23 CyberRisk, echoed the sentiment that regulatory pressure on SMBs is growing.
“We’re seeing many clients that work with FS [financial services] companies being asked to provide evidence of their controls as they’re a third party to the organisation and form some part of their supply chain. This is in the form of external and web application penetration tests and controls assessments against ISO 27001 and NIST.
“Many of our clients are sent questionnaires from their FS customers and require some assistance to complete them and then help in implementing controls to close any gaps … We’re also seeing many clients becoming ISO 27001 certified to deal with the number of third party risk questionnaires.”
Tufek noted that the cybersecurity skills shortage means that SMBs are increasingly looking to cyber specialist companies to help them improve their security posture.
Meah added that SMBs are becoming increasingly targeted by cyber criminals and more risk-aware because of it. Because of this, they are wanting to take the “tried and tested risk-based approach to building out a security improvement roadmap, whereas before would take a reactive technological approach”.
“The challenge is, security is still very specialised and entrenched with jargon and nuance,” he said.
Managed security services providers and security consulting companies like CyberRisk and InfoTrust are helping to fill that void and, in turn, keep the gap between large orgs and those with narrower cash flow.
As Tufek put it, “Industry is moving to more regulation and not less” and so “obtaining advice from a security company is the best way to set up an organisation for success.”
Melbourne’s CyberRisk provides risk assessment, consulting and a range of managed services to the market allowing all organisations to uplift their cybersecurity maturity and capability.
Based in Sydney, InfoTrust helps organisations, including SMBs, assess their cyber resilience against recognised frameworks and develops and delivers a strategy over 2-3 years. It has also recently developed the MyCISO SaaS platform to help guide SMBs’ to improve their security, which is set to launch in January.