Ion Iordache

My Life in Motion

  • About Me
      • About Me
      • Testimonials
      • Work With Me
  • Services
      • Consulting
      • Course: Internal Auditing based on ISO 19011:2018
  • Downloads
      • SECURITATEA ȘI SIGURANȚA UNITĂȚILOR SANITARE
      • Securitatea și Siguranta Unitatilor de Invatamant
      • MARKETING PENTRU MICROÎNTREPRINDERI ȘI IMM-URI
      • Inteligenta Artificiala in Securitatea Fizica Editia a 2-a
      • Inteligența artificială în securitatea fizică Editia 1
      • MANAGEMENTUL RISCULUI ȘI TEHNICI DE EVALUARE A RISCULUI
      • SECURITATEA LOCUINȚEI
      • STANDARDE EUROPENE PENTRU SISTEMELE DE SECURITATE
      • CPTED – GHID ILUSTRAT
      • Sisteme electronice de control al accesului
      • Formarea Profesionala
      • SISTEME DE SUPRAVEGHERE VIDEO
      • SISTEME DE ALARMĂ LA EFRACȚIE
      • SISTEME ȘI INSTALAȚII DE SEMNALIZARE, ALARMARE ȘI ALERTARE ÎN CAZ DE INCENDIU
      • Calcularea preturilor si ofertarea
      • Analiza Riscurilor la securitatea fizica
      • Plan Afaceri
      • Consultanta de Securitate – Ofertare
      • CPTED 1
      • GDPR Supravegherea Video
      • Acord Prelucrarea Datelor
      • DPIA Pentru Sistemul de Supraveghere Video
      • Managementul Operatiunilor de Securitate
  • Pass It On
  • Contact

Cyber Risk management and Business Continuity for Small and Medium Enterprises: An Advisory

February 25, 2021

Author: Dantis Mihai

Introduction:

The COVID19 pandemic has made operations much difficult for small and medium enterprises (SMEs) for new work culture and creation of remote work environment (if possible). The COVID19 has had an unprecedented global impact on SMEs and according to a McKinsey report on SMEs in the big five European economies – France, Germany, Italy, Spain and the United Kingdom, 50% SMEs estimated that they would not survive longer than 12 months, despite the various forms of government assistance[1].  COVID19 also presented cyber risk challenges as SMEs had to quickly adapt and move to the remote working model and thus had to dig in deep into their pockets to set -up an appropriate infrastructure. Business continuity became the corner stone strategies for most SMEs. 

Cyber risk has multiplied in the year 2020 and according to Fintech News, phishing attempts rose 600% since February 2020 and cloud-based attacks rose by 630% between January and April 2020 alone[2]. Thus, the remote work environment presented new opportunities for cyber criminals and made SMEs realise the importance of cyber risk management and business continuity. The question of Cybersecurity has become indispensable for any SMEs in banking, insurance, e-commerce or fintech sector and utilising cloud services and remote working methods keep their businesses running.

Cyber risk management is not just about internet and computers, but it involves people, information systems, processes, culture, and physical surroundings as well as technology. Cyber security aims to create a secure environment where businesses can remain resilient in the event of a cyber breach. Attacks in the form of hacktivism and phishing have become an everyday event and a comprehensive cyber risk management is not a viable option for SMEs with regards to time, resources, and investment required. The pandemic has made companies aware that they would not be able to grow and sustain, if they is not enough emphasis given to cyber resilience and risk-based frameworks and thus pre-emptively prepare to identify and mitigate a cyber breach.

Business Continuity for SMEs: 

Business Continuity as a process builds a framework for organizational resilience. It ensures that businesses are capable enough to continue its core functions and essential operations without getting gravely impacted by unplanned events. The first step at building business continuity is to look at mitigating risk that pose immediate threats to essential resources. Identification of critical resources and undertaking a risk assessment are at the heart of building a robust business continuity plan. Systems need to be created that have processes of prevention and recovery inbuilt to deal with threats and disaster. 

Critical IT Systems must be designed to be able to pre-empt a cyber breach and take pro-active action. In addition, recovery mechanisms should be place, to start afresh from an ‘ok’ state of information before a cyber breach. Thus, in today’s world having a full – proof business continuity plan (BCP) with 100% incident management is impossible. What works is having a structured recovery strategy, which falls back onto the best-known state, when a cyber breach takes place with an in-built escalation management system. The more complex the IT systems architecture, the more advisable to have more than one incident management system. Protection of Personally Identifiable Information (PII) must be given top priority as part of the BCP, especially in sectors such as financial and insurance. 

An effective cyber business continuity lies in its planning and strategy implementation that incorporates and mitigates known threats and prepares for unknown threats and has a pre-empt model of minimising impact, when a cyber breach takes place, but invigorating second line of defences and cutting – off access to critical information such as implementing multiple fail-safe switches in an IT infrastructure architecture.

The following form the three elements of a successful BCP for an SME. 

  1. Resilience: Resilience ensures that SMEs gather an idea, as to how an event or a disaster would affect the business and how well the systems and processes put in place would respond to this disruption. 
  2. Recovery: Recovery looks deep at the risks and identifies the most vulnerable and how which assets would be able to get back sooner and faster than others and prioritising these essential operation processes and services for recovery. The categorisation of can be swapped in order of importance of the threat at hand. 
  3. Contingency: Creation of a proactive strategy that presents a course of steps taken by the SME in response to a business impact event and this must incorporate components of risk management and reflect upon recovery planning.

Cyber Risk Management: The term risk management is the process to identify, assess, and control risk or threats related to an organization’s earning & capital. In the framework of risk management, the possibility of threats from different sources is considered carefully. The risk could be anything, from accidents, legal liabilities, errors to financial uncertainty. In lieu of an increasingly complex IT environment, it is recommended that organisations must focus on a comprehensive ‘Cyber Risk Management’ strategy with focus on threat detection and response, rather than on prevention-centric strategies. Cyber risk management process identifies, analyses, assesses, and communicates a cyber-related risk and accepts, avoids, transfers, or mitigates it to an acceptable level, considering costs and benefits of actions taken to stakeholders.

Good cyber security teams are those that can reduce their mean time to detect (MTTD) and mean time to respond (MTTR) and thus, reduce an enterprises risk of experiencing a high-impact cyber incident or data breach. Today’s complex global environment requires any organisation an approach to cybersecurity that focuses on reducing MTTD and MTTR where threats are detected and killed early in their lifecycle, thereby avoiding downstream consequences and costs. This is easier said than done for an SME. 

Cyber breach life cycle: All cyber-attacks follow a unique pattern and identifiable steps that are a common nature and must get guarded against at each level to minimise risk. 

  1. Reconnaissance: Identifying the potential targets i.e., sensitive information
  2. Compromise: Gaining access to the internal network
  3. Command and Control: Utilising the compromised device / hardware with a remote access, thus establishing long-term access 
  4. Acting as Genuine: Compromising and impersonating an authorised user
  5. Target Acquisition: Having compromised multiple access points, the deep understanding of the IT environment and its reactions to changes 
  6. Go for the kill: Corrupting the systems, stealing intellectual and personal information, disabling mission critical systems, shutting down access to counter measures

An SME challenge to Cyber Risk Assessment and Management: SMEs are not equipped with an end-to-end framework of implementing a cyber breach life cycle, and as most of an SMEs risk management services might be outsourcing, the SME is confronted with how much resources and capital to invest on pre-emptively mitigating a cyber breach? As SMEs have a small business footprint the efficacy of building an extensive planning and implementation structure that covers all the processes of cyber risk management is a stupid idea. Customised cybersecurity frameworks are needed and basic security guidelines are required to be applied in a smart and simpler way. Some of the fundamentals that could be applied to an SME level cyber risk assessment comprises of the following 6 steps. 

  1. Firewalls and secured internet gateways
  2. Software patching and secure configurations
  3. User and Administrative accounts best practices
  4. Password protection best practices 
  5. Malware protection
  6. Secure system configurations 

The global risk and information security standards: Standards assist to define, design and undertake measures protecting an organisations assets and resources and support at adopting solutions that are globally recognised. Standardised cyber risk solutions such as NIST Cybersecurity Framework do full-fill a baseline criterion and standards such as ISO 27000 (a family of standards over forty in total) do provide for an overall management of information security; For example, the ISO 27001:2013 is the most widely known risk-based standard approach for the information security management system but adopts a global vision of business, process, people and technology risks and ISO 27005 is designed to assist in the implementation of information security, based on a risk management approach. Similarly, ISO risk standards such as ISO 31000:2018 relating to risk management and the ISO 22301:2019 commonly termed as Business Continuity Management System (BCMS) standard are an end-to-end security and resilience frameworks that certifies an organisations capability at recovering from disruptive incidents.

Way forward for a Small and Medium Scale Enterprise (SME):

In cyber world risk and business continuity must be applied together at every step of the process and this can result in an effective and efficient cyber business management systems lowering the risk and the potential negative effects of a crisis and financial loss. Cyber risk management and Business Continuity management are interconnected. The following 4 measures are the key recommendations for an SME in curating a resilient business continuity planning. 

  1. Identification of threat possibility and sketch out the communication plans. Creating a roadmap to mitigate major identifiable threats
  2. Standard risk management solution: The survivability of SMEs will often get threatened by cyber risks. Prioritising cyber risk standards and risk management solutions shall reduce cyber threat intensity and facilitates effective business continuity planning. 
  3. Effective testing, maintenance and upgrade: The proficiency of an effective business continuity is seen through an effective cyber risk management. SMEs must keep testing, maintaining, upgrading, and evaluating their threats on a continuous basis. An SME must keep tweaking its BCP avoiding faster detection and deploying a minimum response capability to reduce the damaging impact of a cyber incident. 

Mihai Dantis – Certified Information Security Auditor, Trainer, and Information Security Professional with strong experience in teaching, implementing, and auditing security standards to various companies. Proven track record for 20 years in project management, implementation, and auditing of informational security systems.

[1] COVID-19 and European small businesses | McKinsey

[2] The 2020 Cybersecurity stats you need to know – Fintech News

Filed Under: Uncategorized

Let’s Connect

  • Email
  • Facebook
  • LinkedIn
  • Pinterest
  • Twitter

© 2025 Ion Iordache · Privacy Policy · Terms of Use

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. You may read more on our Privacy Policy page. However, you may visit "Cookie Settings" to provide a controlled consent.
Privacy Policy Cookie SettingsAccept AllReject All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT