How Big Is Our Cyber Security Gap? We Don’t Know
Wednesday, 19th January 2022Businesses have taken a series of big decisions in the past two years; decisions that have kept their operations going and their employees connected. But now, as they begin to come out of crisis mode, they are looking closely at their technology and security. Paul Sanders, Chief Executive of Yobah explains more.
Picture the scene: a business with 3,000 employees is switching to remote working overnight. It uses enormous buying power with technology partners to purchase laptops and, soon after, they arrive at people’s homes. The security team, keen to make sure the transition goes well, starts documenting the changing risk profile of the business. ‘Logging on from home or a coffee shop? Better make sure we keep the senior management team updated about what this means.’
Meanwhile, a company down the road with twenty people is trying to do the same thing. It doesn’t have the same relationships to procure hardware quickly and asks employees to visit the office, safely, to collect their computers. The management team is working hard to keep operations going and, in many cases, doesn’t have a cyber security specialist to keep pace with what’s happening. It’s focused on what it needs to do in the moment.
These two stories are typical of pandemic life. Businesses employing thousands of people have continued on the same path, developing their cyber security outlook, and keeping a close eye on the impact of new technology. But, in contrast, smaller teams have done what they can to keep the lights on. They’ve acquired new products, turned them on, and carried on like before because they’ve had to with limited resources. But now they are asking themselves: ‘how big is our cyber security gap? Because we don’t actually know.’
Everyone in this situation is now seeking to put themselves on the right path. They’ve spent time stabilising their operations, keeping their customers, and acknowledging their future will be more technology-driven. Their experience has shown them that technology, and the way it’s secured, is pivotal to the businesses they run. Chief operating officers (COOs) and their colleagues are therefore taking a step back to survey the scene and understand the impact of decisions taken many months ago.
Until now, some of them have worked on the basis that everything has been fine. But the more they have looked at their systems, the more they’ve found gaps in cyber security. COOs have started their quest for knowledge by openly talking to their IT teams. Instead of a heavy-handed approach, many of the leaders we know are asking people to put everything on the table – a bit like a security amnesty. They are then using the information gathered to develop a business case for investment and taking it to the board.
Other companies are changing the way they look at IT and cyber security. Small businesses with an engineering manager, for example, have commonly focussed on developing products. But recent experience has shown the simple importance of keeping the lights on and security up to date. These companies are now looking at IT and cyber security in a much more strategic way, which includes holding service providers to account and meeting recognised standards. I’m not sure how this trend is going to evolve, but an IT governance role could emerge, looking closely at industry standards.
This change of approach is welcome for small businesses. The way they have worked during the pandemic, and the lessons learned around technology and cyber security, have certainly made them a lot more aware; it’s also helped Yobah to become sharper with its processes and client communication. I believe businesses are now going to be more sceptical of marketing from the IT industry and what they are being promised. I also believe they will challenge service providers more readily and call them out on the standards being met. They will be proactive at outlining what they want, especially those in regulated industries.
In the future, this will help to drive improvements in technology and cyber security. The past two years have been a real wake up call for everyone. While larger companies have continued to develop their understanding of technology and cyber risk, often in difficult circumstances, the voyage of discovery has been more acute for COOs and owners of small businesses.
The work they are doing to understand the gaps they have – and by admitting they don’t always know – has been a breath of fresh air for them and for the industry. The conversations have evolved positively, alongside their learning, and everyone has gained insight from the challenges they have faced. And that, in the long term, can only be a good thing – for their businesses, suppliers and customers.