Case Study: Small/Medium Business Board Strategy and Guidance 2019
Author: Anthony Michael
In Part 1 – Compliance Assessment and Risk Management we spoke about a SMB that was failing to comply with their Legal, Statutory, and Commercial obligations. They were facing large commercial fines, criminal prosecution, and were in danger of losing access to their payment services.
They also had one other big problem – a highly unprofessional and recalcitrant employee that at the time of engagement was unable to be removed from their position, as they had managed to make themselves invaluable to the organisation by being the lynch pin for their IT systems.
Starting as a low level employee they had slowly patched together their IT network, built custom software, set up in ad-hoc servers, created no documentation in order to explain systems, and had subcontracted their own company to do IT support work – instead of adding extra internal resources.
In this article we will look at how TLM helped to advise the SMB on how to take their organisation from their non-compliant state to one that would be able to not only fulfil their obligations – but also grow and change in the future; while at the same time positioning the company to be able to move away from this employee.
The first thing was to understand the key business drivers – in order to understand what direction to guide the company toward in the future we had to understand the specific needs that they had. For this particular business there were four main drivers:
Once these drivers were understood we married them to our data gathered in our Compliance Assessment and Risk Management phase to present some options for forward movement.
They key thing to remember about designing a Cyber-Security Strategy is that there is no one right way to approach it. There is no one piece of technology, or simple recipe that serves as a magic bullet to cure all your company’s ill’s. You can’t even ensure that you won’t get attacked – cyber-crime levels are growing astronomically day by day. The aim is to Avoid, Transfer, or Mitigate as many of your risks as possible, and when an attack does occur, to make sure that you are prepared with a strategy to handle it.
So, in order to facilitate the client’s needs TLM worked very closely with the company director to discuss how best to solve their issues.
In this case we opted to focus on People and Process, only upgrading or changing technology when it was necessary to meet Legal or Commercial requirements. By doing this we were able to keep the overall cost to the business as low as possible.
What this meant in real terms was that we began to instil in the management a sense of responsibility for how the various arms of their business (specifically the IT department) were operating, including:
By angling for this company culture change we were able to do two things:
Once the director of the SMB with the guidance of TLM had decided on the specifics of which particular policies and procedures needed to be written and what technology configurations had to be changed/upgraded/or purchased we moved in to our End to End Solution Management phase. You can read about that next part of the case study in the link provided.
Finally, lets take a look at some of the lessons learned in this experience: