How Small and Medium Enterprises approach cybersecurity

SMEs are key players in most economies and highly contribute to improving human welfare worldwide. They are, however, hit hard by cyber risks; 60% of small companies are out of business within 6 months after a cyberattack. Because of their typically low equity ratio, they are more vulnerable than larger enterprises to external events.

To reduce the effect of cyber risks, organizations need to align their cybersecurity maturity to their risk appetite. Cybersecurity maturity is managed and measured through standards such as the ISO27001 and the NIST Cybersecurity Framework. SMEs, however, are unable to effectivity adopt these standards because of high implementation cost, lack of resources, lack of technical solutions, lack of awareness, etc.

Hence, we propose a cybersecurity standard tailored to SMEs, starting from the following primary research question:

"What components of a cybersecurity standard are tailored to SMEs with a low adoption barrier that effectively manage cybersecurity risks?"

As our research demonstrates, lack of resources and the implementation cost prevent SMEs from successfully adopting a cybersecurity standard. We also observed that a cybersecurity standard has 6 crucial components:

1. Management approval of the risk management processes
2. An organization-wide approach to risk management
3. The organization has at least a limited understanding of the broader ecosystem
4. Risk assessment
5. Protective technology
6. Identity management and access control

Due to the complexity and unpredictability of today's business climate, businesses need to continuously adapt to survive. Adaptability has thus become key for SMEs and needs to be deliberately promoted and supported by internal procedures. Likewise, a cybersecurity management standard for SMEs needs deliberate flexibility.

Our solution is the SMB cybersecurity canvas, that can be used to engage individuals in a strategic perspective of risks, cybersecurity, and measures.

On the left, the basic canvas provides company specifications and risk assessment:

• Business context: explaining why the business wants to conduct a cybersecurity program
• Company risks: the integration with company-wide risk management of critical non-cyber-related risks
• Cyber-risks: cybersecurity-specific risks

On the right, is a list of measures (as-is & to-be) to reduce or mitigate the risks. The basic version only mentions the two categories with the second and third-highest perceived effectiveness (protective technology and identity and access). The category with the highest perceived effectivity, risk assessment, is represented on the left side.

Finally, we also developed a useful checklist, based on our research and consultancy expertise, that can be used separately from the SMB Cybersecurity Canvas:

• Document the answer: "Why is cybersecurity relevant for the company?"
• Document the most important risks to the organization (including non-cybersecurity risks)
• Document the most important cybersecurity risks
• Rent expertise to determine appropriate measures for those risks.
• Determine measures that fit those risks, preferable measures using protective technology or identity and access of users
• Plan regular meetings with the expert to adjust to changes and ensure progress. The timeframe depends on the level of risk and risk appetite of the SME.

Want to find out more about our research? The thesis also dives into topics such as:

• Process for building research supported product
• Analysis of the research done via Group Support System research with 10 experts (in total 130 years of experience)
• Proposed changes to the NIST Cybersecurity Framework
• Comparison of research methodologies

Vincent van Dijk is Executive Master at AMS and Cybersecurity entrepreneur.

Prof. Dr. Yuri Bobbert is Academic Director at AMS and supervised Vincent during his research project.