Contact Us

Phone
0488 621 010

Email
anthony@tlmcyber.com

Address

Online Enquiry

* Required fields

Case Study: Small/Medium Business Board Strategy and Guidance 2019

Author: Anthony Michael

 In Part 1 – Compliance Assessment and Risk Management we spoke about a SMB that was failing to comply with their Legal, Statutory, and Commercial obligations. They were facing large commercial fines, criminal prosecution, and were in danger of losing access to their payment services.

They also had one other big problem – a highly unprofessional and recalcitrant employee that at the time of engagement was unable to be removed from their position, as they had managed to make themselves invaluable to the organisation by being the lynch pin for their IT systems.

Starting as a low level employee they had slowly patched together their IT network, built custom software, set up in ad-hoc servers, created no documentation in order to explain systems, and had subcontracted their own company to do IT support work – instead of adding extra internal resources.

In this article we will look at how TLM helped to advise the SMB on how to take their organisation from their non-compliant state to one that would be able to not only fulfil their obligations – but also grow and change in the future; while at the same time positioning the company to be able to move away from this employee.

The first thing was to understand the key business drivers – in order to understand what direction to guide the company toward in the future we had to understand the specific needs that they had. For this particular business there were four main drivers:

  • Being able to comply with their legal and commercial obligations both now and in the future in order to not find themselves in this position again down the road.
  • They wanted to enable growth while maintaining business continuity – taking time to shutdown their operation and reorganise and rebuild was not something that they could afford.
  • Maintaining their brand reputation was of significant importance. Being a medium sized local business who operated primarily on good word of mouth, having their reputation tarnished could potentially lead to the organisation falling over.
  • And finally, remaining cost effective was paramount to our efforts. While the business had managed to grow fairly rapidly in the last 5 years they were not a billion dollar conglomeration with endless funds to spend on technology improvements.

Once these drivers were understood we married them to our data gathered in our Compliance Assessment and Risk Management phase to present some options for forward movement.

They key thing to remember about designing a Cyber-Security Strategy is that there is no one right way to approach it. There is no one piece of technology, or simple recipe that serves as a magic bullet to cure all your company’s ill’s. You can’t even ensure that you won’t get attacked – cyber-crime levels are growing astronomically day by day. The aim is to Avoid, Transfer, or Mitigate as many of your risks as possible, and when an attack does occur, to make sure that you are prepared with a strategy to handle it.

So, in order to facilitate the client’s needs TLM worked very closely with the company director to discuss how best to solve their issues.

In this case we opted to focus on People and Process, only upgrading or changing technology when it was necessary to meet Legal or Commercial requirements. By doing this we were able to keep the overall cost to the business as low as possible.

What this meant in real terms was that we began to instil in the management a sense of responsibility for how the various arms of their business (specifically the IT department) were operating, including:

  • Making sure that they had direct oversight and approval on each purchase or upgrade to the system that was made.
  • Making sure that they knew all the passwords for systems and (in conjunction with some adjustments to their network technology) were able to change those passwords at a moment’s notice.
  • Making sure they had specific process’ around things like: How data could be accessed, by whom, where that data was stored, and how that data was classified.
  • Enforcing the idea that multiskilling by themselves and their staff members was an invaluable resource. By leaning so heavily on this one employee for their technology needs in the past they had given them the power to act as they pleased without fear of repercussion. If they had some basic cyber security awareness training for all staff, a slightly wider pool of resources in that department, and a high-level understanding of their network they would be able mitigate their risk.

By angling for this company culture change we were able to do two things:

  • Drastically shrink the circle of things that would need to be protected via technology thus keeping costs down. E.g. You don’t have to have expensive and complicated encryption software around your email system to mask credit card numbers if you simply inform staff as to why it’s a huge security risk to have custom card payment details in plain text emails, instruct them to no longer take payments that way, and give them a clear procedure of what to do should that information come through.
  • We were able to avoid having the problem staff member grow suspicious that he was going to be removed and have them take it out on the company by crashing servers or stealing information, by not drastically changing their environment in a short period of time. We kept them involved and framed it as “making sure the company was protected in case of an emergency”. A completely sensible undertaking.

Once the director of the SMB with the guidance of TLM had decided on the specifics of which particular policies and procedures needed to be written and what technology configurations had to be changed/upgraded/or purchased we moved in to our End to End Solution Management phase. You can read about that next part of the case study in the link provided.

Finally, lets take a look at some of the lessons learned in this experience:

  • First, as mentioned above there is no one right way to approach Cyber-Strategy. There is no simple recipe to follow. You can’t even ensure that you won’t get attacked – cyber-crime levels are growing astronomically day by day. The aim is to Avoid, Transfer, or Mitigate as many of your risks as possible, and when an attack does occur, to make sure that you are prepared with a strategy to handle it.
  • When handling unruly employees’ sensitivity and good planning is key. Should that employee decide to act out they can cause irreparable damage to your business, in some cases more so than an external threat. Always make sure that you have safeguards in place during a situation of this nature.
  • It is the Senior Management’s responsibility to know where their weaknesses lay and how to invest in talented people or staff training to try and mitigate their risk.
  • Tailoring response to Cyber Strategy is about considering each company’s individual business drivers and marrying those with their critical assets and risk appetite. There is always a solution for a problem – its just about finding balance.