Iva Tasheva, co-founder and cybersecurity lead, on how to help SMEs thrive in the digital world
When Iva Tasheva co-founded CyEn, a family owned micro-consultancy in Brussels, in 2018, she had a clear vision for the future. As the company's cybersecurity lead, she would help public and private organisations manage cybersecurity governance, risk and compliance (GRC). She was more than prepared for this responsibility. Her previous experience covers work in public, digital, transport, banking, medical devices and non-profit sectors. She is also a certified ISO 27001 Lead Implementer and ISO 27799 Lead Manager.
Besides her work for CyEn, Iva Tasheva is a member of the EU Cybersecurity Agency (ENISA) Ad-Hoc Working Groups on Enterprise Security and on Cloud Services, adviser to Obelis (representation of non-EU based manufacturers in a successful EU market entry), a board member of the DPO Circle (community of GDPR and data security professionals) and an adviser to SANA (the South African Norwegian Association).
What are the most common misunderstandings that SMEs have about cybersecurity?
Many SMEs believe that they are not of interest to cybercriminals. Indeed, the costs of cybersecurity and the loss after a cyber incident vary. But no one is "vaccinated" against a cyber virus. If you are online, you are visible to cybercriminals. And cybercrime is similar to traditional crime: you have "pickpockets" who steal indiscriminately and look for easy targets, and "mafia" going for the big targets with novel types of attacks.
What is the biggest threat that SMEs face?
According to CybSafe, human error caused about 90% of data breaches in 2019. In 2017 and 2018 it was 61% and 87% respectively. In 2020, this trend was aggravated by the fast digitalisation and home working during lockdowns, with little or no cybersecurity awareness or training for employees.
In 2021, according to ENISA, the biggest SME threats remain phishing, web-based attacks and malware. Botnet attacks also remain a significant problem for Bulgaria and will be a growing threat for Europe. By 2025, according to Statista, there will be 4.3 billion IoT devices in Europe. If not secure, they could all be used in a massive botnet attack on any business. There are also other methods of attacks and the landscape constantly evolves.
SMEs need to understand that attackers are interested in their business and data: corporate and trade secrets, infrastructure and user data, financial information.
How taking care of their cybersecurity can benefit SME operations?
Cybersecurity creates competitiveness and is needed for partnerships. SMEs may lose their edge when striking big partnerships without a commitment to cybersecurity, due to security concerns. Studies show that users can abandon a company or a product because of loss of trust. On the other hand, companies committing to security and properly communicating it have an advantage for both business and private clients.
Cybersecurity also contributes to better predictability and reduced costs. Factoring information security risks in business decisions improves predictability and supports better-informed decisions.
Cybersecurity is also becoming a condition to access the EU market. This year, the European Commission adopted a Delegated Act under the Radio Equipment Directive, introducing cybersecurity and privacy rules for connected devices to access the EU market. This autumn, we expect the Cyber Resilience Act that will revolutionise the EU cybersecurity framework and introduce minimum security requirements for all products, services and processes delivered in the EU.
The EU is reviewing its first cybersecurity law (NIS Directive) for increasing the security level of the critical and digital infrastructure. The version to be adopted this year includes more specific rules and broader scope of applicability. The GDPR also includes adequate data security requirements.
Finally, in addition to focus on recognising industry standards, such as ISO27k series, the EU is building its cybersecurity certification frameworks to help companies demonstrate compliance and security commitment. I am supporting ENISA in finalising the soon-to-be adopted EU Cloud Services Certification framework (EUCS). There is also the EUCC – for trust services, and the 5G certification scheme is in the making. These schemes will facilitate compliance across the EU and provide legal certainty for companies placing products or services in the EU market.
What about the costs? Is it too expensive for SMEs to take proper care of their cybersecurity?
Like any improvement, cybersecurity requires a certain financial investment, but above all, it requires a lot of willingness and time.
To know where to invest, SMEs need to identify, assess and manage their cybersecurity risks. This will allow them to focus the investment where it matters most and accept the cybersecurity weaknesses that do not pose a significant risk to their business. Risk mitigating measures vary in impact and cost.
A likely risk is linked to a human error. To mitigate it, you need a good level of employees' awareness. Business owners should invest in training and awareness programmes, regularly informing employees of the threats and empowering them to protect the organisation. Sharing sectorial cybersecurity alerts, launching phishing awareness campaigns, and purchasing cybersecurity awareness/training are low-budget but huge impact activities.
Finally, 80% of data breaches could be prevented with an MFA (multi-factor authentication). This is often a free security option in the products/services. Just use it; it's free! And if you are a developer/producer, make sure you assign the budget to implement MFA to enable a minimum level of security for your users.
What inspired you to create a special manual on the topic? What do you aim to achieve with it?
The initiative was launched and supported by the Bulgarian Member of the European Parliament, Ms Eva Maydell. I worked with her office for years as a stakeholder and then expert, helping design adequate security requirements in the EU legislation mentioned above. We both worked to ensure Europeans have the skills and knowledge to take advantage of digitalisation. I am also providing training to startups in the medical devices industry to help them improve product security and gain access to the EU market. So it was a natural continuation of this commitment to prepare and publish a free guide for the startups/SMEs in Bulgaria. Our objective was first to raise awareness of the threats and then provide a list of pragmatic organisational and technical measures to address the key challenges. We also review the regulatory framework and provide useful contacts and resources for further reading.
+32 493 405 612