Navigate the cyber threat landscape with confidence in 2024
The cyber landscape is constantly changing, with new threats emerging daily. Although it can feel overwhelming, protecting your business doesn’t have to be a complex journey.
In collaboration with global cybersecurity experts, Numata hosted a panel discussion on building a resilient cybersecurity foundation.
Watch the full discussion today and stay one step ahead in cybersecurity.
[Jakobus Koorts 00:00 Introduction of each contributor]
Welcome to our panel discussion on the EMEA Cybersecurity Report for 2024 regarding the state of the cybersecurity landscape, specifically for SMEs. I feel it’s important for us to provide some context before we dive into the various discussions, we’re going to have with our panel of experts from around the world today. Numata is known as the business technology strategist for us, and we’ve had the privilege of crafting, implementing, and managing technology strategies for clients in Europe, the Middle East, and Africa since 2004. But over the last five years, we’ve seen an exponential increase in the number of risks our clients need to deal with, and cybersecurity seems to always occupy one of the top three spots on any of the risk registers that we manage for our clients.
As both the head of our organisation and the owner, we realise that there’s little to no practical resources available for SMEs that really focus on this space because there is a difference between SMEs and enterprise. I think a report and just feed backing information that’s educational it’s vendor-agnostic so there’s no hidden sales agenda, products or services we’re trying to sell, and it’s really education. We’re taking the fearmongering out that is sometimes created from a marketing or sales perspective when we focus just on the core and the real structure that sits behind good information security within SMEs. I also think it’s important to mention that executives and business owners are continuously bombarded with information either from vendors, current service providers internally, or even around the various different solutions, services, and products, and the latest and greatest threats within cybersecurity. And all that information and the overflow of information is causing a lot of uncertainty on an executive level.
People don’t always know when they need to make informed decisions; you enter a state of just having too much information to actually make informed decisions and to be able to focus on the core of what good information and cybersecurity look like. And for us, it really all starts with education and awareness, and that needs to happen on an executive level. Our independent report summarises those two concepts that are important to communicate and to understand on an executive level as a head of an organisation and of it within an organisation even, similar to our service providers. There are many service providers on the school, but I think with that being said, it actually leads me to my first point that I wanted to touch on, and just discussing, you know, Men Cil Executives and heads of their organisations that I’ve personally spoken to over the last couple of years, they just feel fatigued and overwhelmed by all this information, and either they think they’re doing enough or they don’t even know where to start. And it ranges quite significantly from a cybersecurity perspective.
[Jakobus Koorts 04:26]
And I’ll direct, I think, my first question to Chris. Just in your opinion, from an SME perspective specifically, how well do you think SMEs are prepared when it comes to handling cybersecurity incidents?
[Chris Loehr 05:10]
Well, in my opinion, I think that SMEs still struggle with just risk management overall, right, and cyber risk because it has such a technological component to it. They kind of seem to err on the side that it’s a technology problem or it’s an IT problem, and they really don’t understand that it’s a risk problem. And so they need to look at it more from, “Hey, how’s this going to impact my business? How’s this going to impact my staff? What is this going to do to me reputation-ally?” those types of things. And I think if they start to look at it that way, I think they would embrace it more and be willing to kind of tackle those challenges that you spoke about. I mean, I think what you just said was most of them don’t even know where to start or what to focus on first, second, and third because there’s so much information p at them all sorts of different directions. And so, if they can just somewhat take a pause, take a deep breath, and look at it through a business risk perspective, focus it on those things, uh, that’ll move that f space forward. But they’re overall they’re still behind the times when it comes to, and I think that’s very similar in terms of what we’re seeing across the space, and I know the report is focused on EMEA, but it’s very similar in US markets as well. We deal over there with the with SMEs and very, very similar concepts. Perspective. Focus it on those things; that’ll move that f-space forward. But overall, they’re still behind the times when it comes to
[Jakobus Koorts 06:08]
I think that’s very similar in terms of what we’re seeing across the space. And I know the report is focused on EMEA, but it’s very similar in US markets as well. We deal over there with SMEs and very, very similar concepts.
And I think maybe Matthew, from your perspective, when it comes to organisational maturity within that SME space specifically now, you know, as working for and as a partner of one of the more prominent audit and advisory services globally, what do you see in the SME space? Do you think that maturity, that Chris mentioned, now rather, the lack of, do you think that’s prominent across various industries? Have you seen a differences in some industries when it comes to maturity from a risk management perspective?
[Matthew Visser 06:55]
Yeah, I agree with what Chris said it’s more a risk management issue than purely an IT issue, and it comes back to the governance structure within an organisation. You need to train the staff from the bottom level all the way up to the C-suite so they could get attacked over email. You get attacked, but to get back to your question on maturity point of view, I think listed corporations, I think they’re feeling more mature than the under managed businesses. The under-managed businesses need to focus on operations and not so much on risk management, so there’s definitely a disconnect between the more bigger/larger organisations with external shareholders as opposed to owned and managed businesses.
[Jakobus Koorts 07:50]
And that’s a very interesting aspect. Matthew from your perspective as well, you deal with many organisations that typically ask you to test some of their defences from a cybersecurity perspective. Have you seen the correlation in your opinion from a maturity perspective in terms of the type of organisation that you deal with and what you typically find from a results perspective once you tested those defences? Do you think there’s a correlation between maturity and the actual cybersecurity defences and how I want to say how mature those organisations are from a cybersecurity perspective?
[Matthew Visser 08:01]
I don’t think there’s necessarily a correlation. I think a lot of the businesses that we think are mature, there are actually a lot of gaps in their defences. Yeah, I think there’s a lot of training and a lot of additional work to be done because it is quite a foreign concept. I think people think they are protected, but they still have a lot of gaps.
[Jakobus Koorts 08:58]
Thank you, Matthew. Manny, from your perspective, specifically posing that question to you as well, when it comes to the correlation between the maturity of the organisation and what they typically have in place, what have you seen with various different companies that you have dealt with over the last, well, almost 20 years?
[Manuel Corregedor 09:20]
Yeah, so I agree. I think like when it comes to, and we’ve been mentioned in risk management and things like that, which is true, but I think a lot of times, the smaller SME you got do risk management if you’re not how really sure how to identify the risks, you know? So you might think you’ve identified what risks are important to your organisation, and you might think you understand them, but I think a lot of the times like the inputs that you’re getting from, you know, maybe different vendors like, you know, sometimes not the right inputs, you know? So it might they might come through with fear mongering and to like buy their product to protect you, and if you’re not mature enough to understand like what your actual risk is, you might think, okay, you know, I need to protect against by where I need to protect my endpoints, but you don’t really understand your actual risk.
There’s definitely a correlation between that maturity, you know? So if you don’t have the right maturity around like what your risk or cyber risk should be, you can’t really understand how to protect against those risks. So it’s almost like you take a step back at first, get someone, and it’s actually if you look back like 20 years or so, you know, like back in the day, there was very little information around, you know, cybersecurity and what risks to look out for, things like that. They always have the opposite problem, which is like there’s too much information out there. Like if you go on Google and you Google cybersecurity risk framework or checklist, you’ll get a massive checklist.
If you use frameworks like SANS or NIST, whatever it is, you might even understand what’s on that list. And now you start trying to implement controls. You try to meet some sort of checkbox exercise, and you start implementing controls in the wrong areas, which might not be where your risks actually lie. You know, so now I definitely see like there’s definitely like a correlation between like maturity and like what sort of controls you got to put in place. You know, there should be like sort of alignment there, and it’s like there always, you always get the right advice, because sometimes always sound like a lot of us, warn clients that sometimes it’s better to get no advice than the wrong advice. And that’s really the less point around that
[Jakobus Koorts 11:40]
I absolutely agree with that, Manny. I think a lot of senses around Chris, what you mentioned earlier on from a risk management perspective, there’s a direct correlation between the maturity of the organisation specifically in the SME space when it comes to the overarching maturity, risk management-wise, governance-wise as well. And I think maybe Paul, from your perspective, SME wise when you look at small to medium enterprises specifically in the EMEA region, how well do you think the average SME is prepared in terms of dealing with the cyber incidents, and what are the major areas where you think improvement is drastically needed?
[Paul Delahunty 12:00]
Yeah, so from what I see, and I’m coming back and it feeds in from what the guys were talking about there in a few minutes ago is that the area is so huge. Like in Ireland, I know it’s 99% of the industry in Ireland is probably, so it’s massive. And where I see the real difference is where the senior leadership is not bought in or is bought in. If the senior leadership is bought in, all of a sudden things happen. Companies are much more secure. When they’re not bought in, it’s not really important to him. What you get is you probably get the head of IT who is the de facto cyber guy, right?
We’ve all seen that. And um, that they’re the ones then fighting against the current to try and put things in place. So the biggest barrier I see is actually making the senior management understand what’s leaded after that, the rest of just two is the rest of just process putting the blocks in place, um, and making sure there’s a big old push across the European Union on resilience with the Door Act, with the Digi resilience, and then there’s the Cyber resilience coming in as well. So, you know, we need to start putting our message together better so the understanding of not lost in a forest in information.
[Jakobus Koorts 13:21]
Absolutely Paul, and one of the things that you mentioned as well, and I’m going to bring it up because it’s such an important and really good analogy, but in between, usually in SMEs the head of IT being with information security because simply put they don’t have budget to appoint an internal CISO after that concept and the aspect of information security. But one of the things that’s also added on top of that sometimes from a compliance perspective could be either regulatory or legislative compliance, um, and there’s a lot that kind of gets thrown at the SME and they don’t get evolvement in terms of just being an SME, and they under the same exactly the same regulations and compliance requirements as some of the larger enterprises.
But one of the things that I really liked that you mentioned within the report, I think it’s stated as well, is you reference it’s almost like filing tax returns and how cybersecurity is done in the same way, right, and it’s you reference specifically it’s
not a destination, it’s a journey, and that ties in with the mindset that you mentioned in terms of the awareness and you know some of those aspects. Is there something else that you wanted to comment to on that?
[Paul Delahunty 15:59]
Maybe it’s kind of use that analogy a lot because I think any business owner in the world understands, right, I need to find my taxes or else I’ll be closed down and unless you have a business that is totally and absolutely offline which I’m struggling to think of one example you are online whether you know it or not so you need to have some sort of cyber defence. It’s just a cost of doing business, simple as that. And you know, like I mean, the cost of having a breach and maybe having reputation tattered across all your customer is a loss in a business and because I did mention in the report as well one of the key concerns from SMEs was, “Oh, it’s expensive,” not so the really fancy tools, yeah, some of them can be expensive.
Cybersecurity, information security does not have to be expensive. It’s thinking, it’s putting the process policies in place, doing the simple things. People, doing awareness training. They’re the first line that’s going to be attacked. They’re also your first line of defence, so you don’t have to have all-seeing, all-knowing Matrix-style defences and AI coming out your ears. You don’t need that, you know? Do it in increments is better.
[Jakobus Koorts 16:04]
Absolutely Paul, and you touched on repetitional risk, Wilmore, just from your perspective, um, when we start talking about actual cyber incidents within that SME space and the repetitional damage that that can cause, I’m sure you mentioned somewhere, you know, some organisations simply don’t have the ability to actually ever recover from them. Can you tell us a little bit more in terms of your experience and what you’ve seen and how detrimental, you know, something like that could be from a repetitional perspective?
[Wilmore Chininga 16:45]
Yeah, it’s very true regarding repetitional risk with cybersecurity. They’re very much tied up together because you find that nearly every organisation is kind of tied up with other ones, you know, they may be vendors or clients or someone, and we have moved into a space now where nearly every SME needs some kind of cyber insurance. And when you are damaged reputation-ally, it can be very difficult to get cyber insurance, and this company and that one, they have had breaches in the past, going to put some pressure on me to not deal with them. So, it’s almost becoming like a criteria of who do you deal with? Are these people safe?
Have they looked after their cybersecurity correctly? Yeah, let’s say the example that happened with this monitoring company, I won’t name their name, that they were compromised, and it affected everybody else that was using them for you to go there again and get that kind of software to put in your environment. It becomes kind of like a shooting yourself in the foot there because it’s going to damage your reputation, not because you’ve done anything wrong but because the vendor has been compromised. So, reputation is a very important thing in the cybersecurity landscape because once yours is damaged, it’s very fragile. It’s very hard to put up again.
[Jakobus Koorts 18:15]
Absolutely Wilmore, and John from your perspective, just you know, what have you seen from the the impact of repetitional damages across that SME space, specifically from the cyber perspective?
[John O Mahony 18:45]
Um, I mean, look, I think it’s huge. I mean, and talking about just breaches there as well. I mean, look, I was only reading there uh, recently, last year alone, we had the highest ransom payout ever in 2023. It exceeded 1 billion, and that’s reported ransom, right? You know, expect another 50% on top of that. I just read in another report this morning a university, close to my heart, uh, again was affected by a ransomware attack, never paid the ransom, however, the effects of the ransomware attack thereafter for them to recover is an excess of 3.5 million, right? And when you can weigh up those costs and those impacts as opposed to if they had put the right kind tools and controls in place in the first place, having the right tools and processes would have been a fraction of that impact. And that’s something that I see consistently across a lot of organisations that I speak to. Sometimes the attitude is: “Look, it will never happen to me, I’m too small.”
But the reality of it is that bad actors don’t put a label on organisations anymore. They’re just going out doing a blanket attack on everybody. So unfortunately, you know, to Wilmore’s point, you could be a very, very small organisation, and the cost of that financial impact from a breach can actually close your organisation because not only going to feel the impact of that cost but per
party investigators, um, like in our case in the Mia GDPR commissioners could come in and they could impel you guys are poppy so there could be big, big fines there and then you’re bankrupt, you’re not.
[Jakobus Koorts 20:30]
Absolutely, and I think I would like to touch just on a couple of things that came up now and I think there’s a lot of almost every single one of you mentioned some misconceptions when it comes to and unfounded pears when it comes to cybersecurity. But when it comes to the SME space specifically, what do you think that the most prominent misconceptions are when it comes to cybersecurity? I mean, I’ve heard from, you know, it’s an IT problem too and it’s very expensive, but just maybe Manny from your perspective, what do you think the biggest misconception is when it comes to cybersecurity within the SME space?
[Manuel Corregedor 21:13]
I think it’s like a combination of things. So, like one of them is that um, technology can like solve the problems. So like if I buy XYZ product with the Blinky light and I put it in place like I’m going to be safe, you know, and I guess that comes from like how things are marketed as well that’s also one of the things, you know, the other side of things is also that um, you know, putting stuff in place without making a part of like some sort of like framework or program like implementing security just because like you need to onboard a client and they’ve asked you, they send you a survey, a spreadsheet with like you must have XYZ controls now because you don’t have that you start to implement those controls and you start to create those policies and you start creating those things just because you want to, you know, pass that checklist so that the vendor can onboard you get that sale or whatever it is, you know, so I think like a lot a lot of things is about there’s a I guess a between the two, that’s really the main thing is that you know just assuming that uh, you know buying the XYZ product will protect you and the other side it’s just like um implementing stuff without it being part of like a program or some sort of like risk management framework or the sort of governance structure, you know, then it becomes sort of like the wild west where you just implementing stuff for the sake of implementing it and there’s no like uh, reason why.
[Jakobus Koorts 22:30]
And that ties back into Chris exactly what you said earlier as well. I mean, that’s exactly what you reference in terms of risk management, right?
[Chris Loehr 23:01]
And I would add on to what Manny said is it’s you know somebody might spend a bunch of money on a tool and they just don’t understand what it takes to maintain and configure that tool on an ongoing basis. I mean, I say we see lots of situations where we get involved because it’s an incident we get called in and they have spent quite a considerable amount of money on tools and they have some pretty nice stuff, some pretty fancy stuff but it was either configured improperly from the beginning, features and functions that they paid a lot of money for were not enabled and they just didn’t take the time to make sure that things were configured, everything was reporting in, you know, not to pick on an EDR but you know it, it, you don’t have it on every endpoint and you have one or more endpoints that are not covered, well what’s the purpose you pretty much should you just wasted your money when you’re not taking care of it.
So it’s right, I mean, that’s another misconception is I can just kind of buy my way through managing this cyber risk and it just it just doesn’t work this way, it’s just, I try when I try to talk to people about it I try to equate it to your accounting and finance a lot of SMEs might outsource that function but they’re not going to ignore it. They’re going to keep track of their finances they’re going to want reports and they’re going to want to make sure bills are being paid and money’s being received and all those types of things. Same thing happens with cyber. I mean, it’s just a care and feeding thing. It’s not a set it and forget it, and you know, I’m going to sleep fine tonight because I’ve spent a bunch of money on tools and they’re going to work great.
[Jakobus Koorts 24:18]
Absolutely, it’s so funny when you mentioned that because I saw Jason, literally we dealt with exactly that scenario where I mean, when was it, Jason in 2023? 2022?
[Jason Scanlon 24:35]
2022.
[Jakobus Koorts 24:37]
Mhm, would you mind to maybe elaborating on that where exactly that scenario that Chris mentioned now all the tools, the invoices were paid Chris, so the level of assurance should have been there, right? And that’s exactly what Jason uncovered at quite a large organisation.
[Jason Scanlon 24:35]
Yeah, it just speaks to about you know how we spend money and I think Paul alluded to earlier on and Chris alluded to it now and it’s funny because I think every business owner knows down to the dollar and cent how much their business is earning right and how much they’re losing or how much they’re making. And yet when it comes to information security risk, it seems like it’s the third ear that they don’t know anything about or they don’t want to know anything about or as Chris alludes to or even Manny that they did because it was a checklist that came from a third-party supplier and they wanted the problem to go away, I just want tick tick tick tick. I’ve always said and Paul said earlier on now, Chris has mentioned that investment in technology is one aspect of it. I mean, we forget about the people and the posters of their times, but you know, technology alone is not the answer. I think we know that.
[Jakobus Koorts 25:49]
And it’s interesting because we had a brief discussion earlier this week. Jason, we Jason’s busy with the client and we’re looking at regulatory framework that needs to be implemented on the data privacy perspective. And when we started out with a data mapping process as an example, the client said, oh no, we don’t have any external data, we don’t share data.
And as we going on, we’ve probably uncovered seven or eight different suppliers sitting with PII, (Personally Identifiable Information), outside of the environment. And it’s just by working through that and educating some of those business owners, but I think some of it also comes down to that correlation between the cyber component – information security, the IT strategy is an overarching from architecture perspective where we say it’s for where we store our data, how we process it, how we work with it, how we collaborate both internally, externally. And I’m wondering is there perhaps a discussion just around you know the correlation between the maturity from an IT strategy perspective versus the maturity of cybersecurity strategy and I maybe I’ll rephrase that slightly based on Chris and pretty much everyone’s input here and maybe just risk management overall that correlation between the two from IT GRC and IT strategy perspective when those two aren’t align, what would you say the biggest issues are that companies would start seeing or how would it manifest in an SME environment where IT GRC is in place or not aligned with a properly designed crafted technology or IT strategy and maybe Paul from your perspective what do you think how would that start manifesting in into businesses?
[Paul Delahunty 27:46]
Well, if they’re not aligned it means they haven’t been put together properly in senior IT hasn’t been up in the senior level so the first thing to be thrown out is going to be the security element because that’s not what we do, we don’t do security, we’re a business, we sell widgets.
So, you know, and but they don’t realise well, yeah, okay, you sell widgets, but in order to sell those widgets if you’re breached or hacked, you’re in a world of pain. I would say though I think part was going off about the GE there but it’s part of our failing as an industry is not translating what we understand to people who 99% of people who don’t understand this phenomenal and even down to always using the term cybersecurity I think we need to move away from that because okay everyone here on the line. We’re all nerds, right?
We all are in this world, and we hear C, “Oh yeah, let’s talk about it.” Great. Anyone else tax I my tax so we need to start talking about information security because everyone understands information security; you want to keep your information solid. Now, if you bring that up into your strategy and talk about risk to your information, now all of a sudden, it’s not a separate strategy, it should be part of the overall strategy, and it’s just an integral part of our overall business and our IT strategy. And I think that’s in my experience, it’s a more sensible way of getting buy-in from everyone and actually making sure that it’s achieved.
[Jason Scanlon 29:23]
I just want to add to Paul’s point there because it’s very important as Paul has spoken about this regularly, we often speak in language too that doesn’t resonate with business owners and Business Leaders, and we have to ask ourselves why. And as Paul alluded to, there’s a lot of terms Governance, Risk, The Cyber Resilience. We’ve got to start to demystify these things a small little bit, and I think it comes back again. I just mentioned Chris’s point about the risk management approach but equally on top of that, as I said earlier, every business knows how much to make from the pounds and shillings perspective. If we address risk management along with something like the FAIR Model whereby we can quantify the risk and quantify the exposure, potential exposure to the information security, I think we’d be on a better path to success in terms of getting our message across. And equally also the key thing that I think business owners need to understand is every business owner is in the business of IT because if they’re not in IT, then they’re not in business.
[Wilmore Chininga 30:29]
So true, Jason. And if I could just add on to that and what Paul said, I think that’s very true because the more we speak about cybersecurity, it kind of positions you into a place where you are thinking you have to protect yourself and your assets from this vast sea of threat landscape. You know, but if we say Information Security, it really changes the dynamic there because you’re looking now at your assets and you have to protect them. It’s not so much a big thing in your mind then, you know, to try and protect yourself against this all sea of pirates against you, but you’re just trying to protect your assets. So, that’s really, really a good point there.
[Jakobus Koorts 31:13]
Sorry, John, you can speak
[John O Mahony 31:18]
Yeah, I was just going to say as well, I mean, look, I think a big problem as well for a lot of SMBs is that they don’t exactly have a cybersecurity professional working for them. They have an IT professional that wears many hats. He’s doing application, he’s doing networking, he knows a small bit about security. So, when it comes to his day and day job, he’s going to focus on keeping the network up and running, keeping people logged in, keeping things, you know.
So, security, unfortunately, kind of falls back on the back foot and therefore then the need and requirement for security is not probably escalated enough up to the C-levels to make them aware of the gaps and issues within the network, and we see that right across the board. I think, I mean, globally, there’s probably three million open positions for cybersecurity professionals globally, and you know, that’s where SMBs need to bring in professionals like us here to do maybe a consultancy session with them to identify where the gaps and needs are to align the security strategy and their IT infrastructure and mirror the two of those together.
[Jakobus Koorts 32:34]
That’s really good input, John. And just in terms of the increase that we’ve seen from a Regulatory Compliance perspective, Paul, from your perspective, do you think that the increased pressure on small to medium Enterprises actually, just, all businesses across the globe to be compliant with various different industry or legislative or data privacy regulatory compliance frameworks, do you think that is actually helping the cause from an info perspective? Do you think it’s helping to educate on an executive level as well?
[Paul Delahunty 33:12]
Yeah, and again, I only speak towards European Union regulatory, okay, for global audience, that’s the one I’m more familiar with. But I really believe it’s the EU doing a wonderful job on pushing resilience across the union. I think this legislative step is really needed. If you look into the legislation, it’s reasonable. It’s asking people to take reasonable precautions, reasonable steps appropriate to your risk. And that’s the key thing SMEs need to realise. It’s appropriate to your risk.
And if you put it into other terms, right? If I was a billionaire and had a big massive mansion and a huge estate and, you know, lovely paintings and gold taps and all this kind of things, right? I would probably need to have security guards, guard dogs, motion sensory detectors, all this because it’s appropriate to my risk. I’m not, I live in an ordinary house, I have an alarm, but when I leave the house, I turn on the alarm and I lock the door. That’s appropriate to my risk level. And all the legislation is asking us to do are things like that. Just make sure you’re somewhat secure up to what your risk it says you should be secure to. And I think it’s raising everyone’s boats, and it is forcing the sea level and the management to actually cop on and actually take note of it and now act and make them realise that, you know, that IT person I put in charge there who isn’t really a secured person, they were going on, they weren’t actually talking rubbish, what they’re talking about is actually real.
[Jakobus Koorts 34:41]
Yeah, and I think Chris, from your perspective, I mean, Chris’s input on some of the industry standards is quite well known, but Chris, from your perspective specifically, you know, some of the frameworks or standards that you are involved in and help shape sometimes and I’m starting to see a lot more of it being actually focused to the smaller markets and smaller organisations like this. What have you found in the US market? You think, you know, those best practices or industry standards from an intersect perspective, do you think that’s being adopted more widely at the moment?
[Chris Loehr 35:23]
I do think that thee, the Frameworks resonate more with SMEs. I think the standards will come next. It’s a tough balancing act because you know, I kind of cut my teeth in the banking world and there was, over here in the States, and there was a lot of banks that were doing things like we’ve been talking about. They were managing their risk reasonably and according to what they needed to do. Well, there’s a number, a pretty large substantial number of smaller banks saying we don’t want to do it that way, we want it to be very descriptive, so they were telling the Banking Regulators we want a very descriptive what you want us to do. All the more mature banks were like, no, no, no, we don’t want that, we have a handle on things. And so it was tough to satisfy both. So what happened is The Regulators came out with a checklist and said, oh, this is just a guideline you don’t need to follow it until they showed up to do your exam and they said hey, hey we want to see what you’ve done with the checklist. So, oh, I think the same thing goes with Frameworks and Standards is, I think, you know Paul said it right what the EU is doing as far as teaching people about how to handle the risk and manage the risk in a reasonable fashion and so just as an example the NIST CSF 2.0 just came out.
I mean it got released this week that we’re speaking on this call and I read through that yesterday completely. It wasn’t first of all it wasn’t long which I think was good but I was trying to read it from more of a business lens not a technology lens and I think the way that was written and structured is in response to what you just said it needs to resonate with the executive level it needs to resonate with the middle management level and it needs to resonate with the employee level and if you read the document and how things are explained and how they’ve kind of laid out the order of things in that document I think that’s substantially different than it was from the prior version so I do think that number one people are starting to migrate towards those Frameworks and Standards and at the same time those Frameworks and Standards are becoming more comprehensible, you know, they’re able more easily to be comprehended by non-technological people.
[Jakobus Koorts 37:44]
I think so. That’s probably why Jason for me to be to this week as well. Um, so Jason being our own CISO, is very mindful of that balancing, you know, the technology speak with the executive level in our own organisation, so I have no misconception when it comes to the type of risk that we’re facing um, but that’s we are fortunate from that perspective because we do have an in so that is experience and understands that. But from the framework and the standards perspective, just maybe Chris just for the audience today what is the difference between a framework and a standard?
[Chris Loehr 38:26]
Yeah, typically one doesn’t replace the other, right? The, if you want to think about it, is a framework is purely it’s a very flexible if you want to call it methodology but let’s just use the term framework it’s a very flexible thing that people can uh choose what to apply to what degree to apply uh, and basically it provides a lot of guidance to what you need to do, and typically that flows into a standard.
So if you’re going to adopt a standard that’s where let’s put it this way, think of it as more of an audit test right when you do a framework that’s kind of a self-attestation that you’re managing your risk and you’re doing it accordingly when you adopt a standard you’re expecting that to be hey these are I’m doing precisely the things that this standard says that needs to be done and I am willing to basically sign my name and have a third party prove that I’m adhering to that standard it doesn’t mean that you have to hire a third party to do it but my point is that’s really what a standard is most of the time uh not only but most of the time you’re going to see uh companies that are regulated or that have to deal with a lot of different um they may have to deal with different deal with a much different requirements from different directions they might have regulatory requirements they might have legal requirements they might have contractual requirements with their vendors or clients or whatever.
A lot of them you will see adopt one or more standards uh for those reasons while other people can just say hey I need I need more than just a framework and um I don’t I don’t quite need to go to that degree of a standard so a little bit long-winded there but that’s how I would explain it so that that’s.
[Jakobus Koorts 40:18]
Brilliant Chris and I have maybe just two questions specifically related to that but Manny just in terms of and obviously from your background as well we can see in the background there you’ve got the Tel Space logo up and the slogan which is Hackers For Hire so just from a, obviously that is what you do right your entire organisation exists around helping other companies to understand what their risks are from an external perspective right and probably internal to a degree as well but do you think there’s a correlation in terms of organisations that adopt a standard and the framework um in terms of the resilience from a cyber perspective versus the ones that don’t
[Manuel Corregedor 41:01]
A bit of a tough question, but I think it depends on the organisation right, so like you have like really good teams that are really good at security and they don’t really necessarily need the framework they’re just doing the right stuff by Design so they applications they’re hardening servers they’re doing all sorts of things that uh they may be read about or learned about and they’re just doing it without the Frameworks but definitely like I think the companies that do have Frameworks and standards they’re actually looking at controls and things need to be in placed they’re definitely a lot more well positioned in terms of at least having things in place that uh would help you know in uh I guess reducing that risk you know but I think there need to be like a difference between having a control in place and having an effective control in place there’s a difference between those two things usually when you go and you like do like a governance assessment or you do some sort of framework assessment or compliance check, You know a lot of the times you checking to see if the controls are in place.
Do you have an EDR? Yes. Do you have an AV? Yes. Do you have a par policy? Yes; and then we come in there and actually test if these things are actually implemented effectively. So it is actually working as it should be? Is it actually reducing your risk? And you go and actually test that control and you actually go and see, how effective is that control, um, and I think that, to answer your questions now, Definitely if you’ve got that sort of framework and you’re working towards it, I think it it’s defiantly puts you in a lot of a better position, You know, I thinks it’s probably important to highlight the compliance, doesn’t mean you’re secure. You can be compliant, you can have all the things but don’t necessarily mean that you’re actually secure and it comes back to, I think we’ve mentioned a few times around, um, you know technology is not the solution but I think this might be a little bit of old school thinking because people tell me that you know, it’s a bit outdated, but really you can actually take any security and break it down to people processing technology.
If you look at your people and your processing technology around your risking you you start looking at where the gaps are in those areas and you start taking the Google information security Triad, is the CIA; confidentiality terms and availability and you start to break those things down and say how can I actually look at the this process? Is this business flowing? You know where am I at risk from a confidentiality unity and availability perspective across this process and you start breaking it down to people and proc technology like going back to what we mentioned earlier. You get the best firewall, with like AI, NextGen, ML and whatever label you want to it.
If the right person knowns how to configure it, roll it out and monitor it and actually look at the alerts to know what’s going on, you know, it doesn’t really matter. It is the people side. If you don’t have the right process around that technology so like anyone could go in there change settings, like businesses is upset because something is blocked they just going there disable something because it’s like sewing data server this, they turn it off lack of Change Control around that technology. Again, there’s a gap there, so I mean if you look at the framework, yeah man, change. controls in place we’ve got a firewall, sure you passed it but it’s not actually effective of how you’re actually putting everything together
[Jakobus Koorts 44:04]
So as always we didn’t have enough time to run through all the different topics that’s covered in our report but we do encourage our viewers to take a moment, download the report and of course the practical resources that we’ve included uh within report as well. Some of it is guides, it’s starter kits for that organisation for your organisation journey towards improved cyber resilience.
But thank you very much for all of you of contributing to the report, we really, really appreciate your time they put for the viewers as well today. Thank you for joining us and we hope you find the report very useful, along with the guides and the additional resources that will be aid. Thank you very much.
Download the EMEA Cybersecurity Report
In an age where digital threats loom larger by the day, small- to medium-sized enterprises (SMEs) are often caught in the crossfire, navigating a complex cybersecurity landscape with limited resources. The 2024 EMEA Cybersecurity Report by Numata is here to change that narrative.
Numata is committed to providing SME decision-makers across the EMEA region with a comprehensive and understandable guide to the current cybersecurity environment. Our 2024 report sheds light on the sectors most at risk, common types of cyber incidents, and the pivotal link between your IT and cybersecurity strategies—all through a lens focused on the unique needs of SMEs.
What’s Inside?
- Targeted Insights: Learn which sectors are most vulnerable to cyber threats and why, allowing you to better allocate your defensive resources.
- Incident Breakdowns: Understand the prevalent cyber incidents that SMEs like yours face, and identify effective preventive measures.
- Strategic Alignment: Discover how syncing your IT and cybersecurity strategies can fortify your business against digital dangers.
- Tailored Resilience: Compare cyber resilience tactics for large corporations versus SMEs, and adapt enterprise-level strategies to fit your context.
- Future Predictions: Gain expert insights into potential 2024 cybersecurity trends and prepare your SME for upcoming challenges.
Our vendor-agnostic approach ensures that the focus remains firmly on educating and empowering your business. By analysing real-world data and trends from 2023, and incorporating advice from top cybersecurity professionals, we offer a balanced and impartial perspective aimed at improving your cybersecurity posture.
Our report is crafted with an SMEs needs in mind, offering clear, actionable guidance to help you understand and tackle cyber risks head-on.
Take the first step towards transforming your cybersecurity approach. Download Numata’s EMEA Cybersecurity Report for 2024 today and equip your SME with the knowledge to confidently face the digital future.
Jakobus Koorts
Numata | Chief Executive Officer
Wilmore Chininga
Island Networks | Infrastructure and Cybersecurity Consultant
Jason Scanlon
Numata | Chief Information Security Officer
Wojtek Wierzycki
Sygnia | Head of Systems and Development
Chris Loehr
Solis | CTO and Executive Vice President
John O Mahony
Kaseya | Cybersecurity Solutions Specialist
Paul Delahunty
Stryve | Chief Security Officer