Too big to fail, what about too small to matter?

The 2008 GFC showed us that when there is a crash, there are certain organisations who are, supposedly,  too big to fail.

Whether those organisations understood it at the time, it was touted that their failure would create an economic wasteland the like the world has never seen before in the whole of human history.

In 2008, this problem was delivered to the world by Governments in spades.

All well and good.   The world survived but the actual business landscape has significantly changed since it happened.

Changed in some areas and not at all in others.

Too big to fail is still touted by governments and industry leaders but there has been a significant change in the working man’s thoughts.

Small and medium business have come to the fore!

The implementation and management of the multinational digital organisations and systems have made SME’s competitive.

Platforms that allow SME’s to compete on an even playing field are everywhere.

Cloud-based systems, social media targetting and the fact that all of our prospects are mobile puts everyone in the same game.

The SME’s agility, adaptability, and responsiveness combined with these platforms make them contestant and champions in the new economic arena.

But with this new found capability comes a lack of understanding of the digital platforms that they are using.   An inability to see the dangers because they are so agile.

So focussed on keeping ahead that they do not see, other possibilities.

What happens when it goes to custard?

The statistics for SME’s failing are not easy to come across.

When they fail there is little fanfare.

Very little ramifications.   The flow on effect is minimal!

The owners usually declare bankrupt because they have funneled everything into the business.   A couple of people are out of a job.

When it comes to SME’s, pride has kept it afloat.

The fact that in some cases they have had to beg, borrow and steal to keep the business viable, afloat and thriving in the changing economic environment is indicative of most SME’s who will do anything and everything to survive.

When the failure is out of the owners hands, that is a different issue.

A natural disaster is one way this can happen, another is a cyber event.

A cyber event can happen at any time, any place and to anyone.

The perfect storm.

The perfect storm created by our reliance on the cyber.  Created by our attitude.   You know the ones – we are too small, we have nothing worth stealing and she’ll be right.

When it happens for an SME, there is no “do over”, no “too small to fail”.  They are just “out of business”

SME’s still have the flexability and adaptability to stay in business but they now need to create resilience.   To be stronger, recoverable and less brittle.

To do that they need to act, in kind, the same way that larger organisation act.   They need to have the right policies, processes and procedures in place.

Have the right framework around them to ensure that they are more flexable and better protected than their competition.

A cyber event can range from a slight inconveniance to profound impact, but no matter what the event you have to have some way back from the brink.

Business continuity, disaster recovery and business resilience are all components of today’s agile business.

Without them, you are not agile, not resilient.

You are definitely too small to matter!

Doing X things to protect your organisation is not the best cybersecurity strategy.

It is no longer a case of do these ‘X’ number of things and your business, organisation or self will be secure from a cyber event.

We have all seen, read or been told that you need to do this or don’t do that (I even wrote an article recently on just that) to fix your cybersecurity.

This attitude is wrong.

All it does is focus you on the ‘X’ number of things that are considered important, it does not fix the overall problem of digital protection, cybersecurity and protecting the organisation’s data against a cyber event.

Today’s threat market is all about two things:

Risk management

Managing the risk to your organisation is totally dependent on the organisation.   Get it wrong though and the organisation is open to litigation, compliance and reputation challenges.

Defining the risk and then mitigating, reducing or ignoring the risk depending on your organisations risk posture.

That risk posture has to have a basis in fact.   Every organisation is different, therefore every organisations risk posture will be different.

“She’ll be right”, “it will never happen to us” and “we have nothing worth stealing” are stupid risk postures and should be avoided at all costs.

Lets take patching – you can not implement a patching process if you have not looked at the associated risk of applying, waiting or ignoring a patch to software or operating systems.

Some patches are critical and the risk to the organisation outweighs the impact of a cyber event.   These need to be applied immediately.

Other patches could mitigate some risks to a system and can be applied as part of the patch process.    We recommend within 15 days.

There are also patches out that would have minimal impact on a system.   If the system was not patched and it was compromised they would not get access to critical data.   These can be applied based on the organisations risk posture.

Looking at the overall risk to an organisation will drive the security around that organisation and the underlying risk associated with a breach can be discussed as part of the overall business risk assessment.

Using frameworks

When used correctly a framework increase the awareness and security around an organisation.

We use NIST, but any framework will do.

A framework allows an organisation to take the blinkers off and focus on the organisation as a whole.

It is a holistic approach to protecting the organisation from a cyber event because it looks at a number of related but often overlooked,  important features of digital and cyber protection.

Each of the components of the framework allows the organisation to implement change in a managed and focused way.

It allows an organisation to improve security, with each change benefiting the organisation.

It is a process, not a knee jerk reaction to the next threat.

Business security is not about implementing a decent firewall, installing end point protection and sitting back because you think you are safe.

Business security is about education, policies and procedures, business continuity, visibility and viability.

This solution cannot be achieved through reaction, it needs to be a proactive process embraces by all members of the organisation.