The diversification of risks in cyberspace – ransomware is just one of the most prominent buzzwords – does not spare SMEs. Even though SMEs are incredibly diverse and heterogeneous – the term "SMEs" is always a gross generalization. Many companies are confronted with similar problems and, above all, a lack of resources to meet the challenges.
However, this is not due to a lack of digital expertise among SMEs. Even more than for corporations, limited resources are a major challenge for medium-sized companies. Despite the seriousness of the current risk situation in cyberspace, it is difficult to prioritize an issue that does not directly contribute to value creation. In case of doubt, there are always more pressing tasks in day-to-day business - that means until a serious security incident occurs. Especially if the company is not able to assign a dedicated IT security team due to its size, IT Security has to be dealt with on the fly.
This pragmatic approach to IT security is necessary and effective when resources are limited. Nevertheless, it is important not to be misled by the clichéd hacker topos, which tends to portray everything to do with IT security as black magic. Even against the horizon of new threats, basic IT protection is not rocket science if the topic is taken seriously. With a structured approach, solid protection is quite realistic, even with reasonable effort.
However, especially when security has to be implemented "on the fly" by admins as a side hustle, it is often difficult to implement a structured approach in practice. In any case, there is no shortage of standards and best practices, and yet are these practically feasible for SMEs? The single person in charge of security can quickly feel overwhelmed by the vast amount of standards. But they can also feel lost without the opportunity to exchange ideas with other experts - which specific approach is best suited to my company structure and my situation?
A sorrow shared is a sorrow halved
The single security officer in a medium-sized company may feel lonely. A proven remedy for loneliness is the realization that many people are basically in similar situations; you just haven't connected with them yet. However, one quality that should not be underestimated in many SMEs is their ability to cooperate. In any case, competition is a misguided category when it comes to IT security.
Still, even if the ability and willingness to cooperate are fundamentally present, there is always a risk that activities outside of actual value chain will fall short without the appropriate impulses. What impulses are needed here? At first, it would be particularly helpful to set up forums and platforms that make it easy for the security people of SMEs to make contact with each other. Such platforms should offer the opportunity to share experiences and best practices, while minimizing the organizational effort for individual participants.
Furthermore, such platforms do not have to be used solely for mutual exchange, but can also function as a channel to gather and utilize external expertise. This also tackles a fundamental problem with consulting services: they are not efficient, especially under the structural conditions of SMEs. Of course, every company can purchase the relevant expertise itself on an ad hoc basis. Yet countering mutual problems individually on a one by one basis is neither effective nor efficient. And learning is always more enjoyable together.
The Cohort model: creating a platform for cooperation and shared learning
At intcube we try to tackle the "lonelyness" as well as the "efficiency" problem by bringen SMEs together in so-called cohorts. Within those, common themes of cybersecurity are discussed to enable the participants, to orientate in the jungle of best practices and gain confidence for their own approach for IT-Security within their organization. The goal is also to promote topic-specific exchanges between participants so that they can share solutions to similar problems.
In this way, we aim to enable SMEs to make the most sustainable impact from the limited resources available to them.