What is cybersecurity?

Cybersecurity embodies a set of systems, processes, and actions that protect businesses from digital attacks. It is also known as information technology security or electronic information security. Using technology and digital platforms for commercial activities exposes companies to cybercrime like phishing, malware, or data and identity theft. To counteract these cyber threats, policymakers play a role in raising cybersecurity standards and developing regulatory frameworks that enhance cyber readiness capabilities in businesses. The International Telecommunications Union (ITU) provides a definition on cybersecurity and action areas for policymakers in its Recommendation ITU-T X.1205.  

Why does cybersecurity matter for small businesses? 

An increasingly interconnected world through digital networks has enabled businesses to collect and share more information to reach new customers and innovate. But it has also led to a rise of criminal activities that profit from stealing customer data and spying on business practices. In 2019, a report found that about 7.9 billion records globally were exposed by data breaches, an increase of 112% from 2018. Small businesses are often security breach victims, representing more than 40% of attacks in 2019. Studies have also found that about two-thirds of small companies close within six months of being hacked. Because of these vulnerabilities, MSMEs are often the weak link in global value chains. Since small businesses are so vulnerable to cyber attacks and can link to large anchor firms in global value chains, cyber readiness can be a criteria for the selection of suppliers. Bearing this in mind, policymakers need to develop holistic strategies and action plans to mitigate these threats. For example, the Organisation for Economic Co-operation and Development’s (OECD) Cybersecurity Policy Making at a Turning Point suggests key elements that cybersecurity strategies can incorporate. A McKinsey article has also outlined questions that can help policymakers formulate action plans on cybersecurity. 

What are some cybersecurity risks facing small businesses? 

The increased use of digital platforms creates security vulnerabilities that cyber criminals often seek to exploit for illicit gains. Since the start of the COVID-19 pandemic, for example, cyber criminals have been increasingly targeting small businesses due to their lower skills and resources to adopt cyber protection systems. In this context, the International Chamber of Commerce (ICC) has outlined four key cybersecurity threats facing small businesses recently: (1) phishing and business e-mail compromise attacks; (2) malware distribution using COVID-19 as bait; (3) remote working and supply chain threats; and (4) heightened vulnerability due to a lack of awareness.

Why is cyber readiness a trade issue?

Cyber readiness and security are important for international trade, especially digital trade. Trade relies on trust, and threats to cybersecurity undermine confidence in digital trade and transactions and make sellers and consumers think twice about using this option. Businesses recognize this fact but have to comply with national regulations. If those regulations do not follow a standardized, risk-based approach, then potential traders are put at a disadvantage. Furthermore, varying requirements add complexity and can significantly increase costs for MSMEs, while at the same time reducing security. Policymakers should aim for aligned approaches to cybersecurity, including consistent use of standards, to reduce complexity and support MSMEs.

Where can I access policy guidelines, frameworks and trainings?

• ITU National Cyber Security Strategy Guide: This resource provides actionable guidance for policymakers so that they can gain a comprehensive understanding of the purpose and content for developing a national cybersecurity strategy. Visit the ITU website.
• ITU Global Cyberecurity Index: This consists of a measurement tool that tracks country progress on cybersecurity commitments around capacity development, cooperation, and regulatory measures. Visit the ITU website. 
• ITU Cybersecurity training: This training is designed to help policymakers understand lifecycles, principles, and good practices of cybersecurity strategies at the national level. Visit the ITU Academy. 

Where can I find best practices and national examples?

• Canada’s National Cyber Security Action Plan (2019 – 2024): This plan was designed after a comprehensive cyber review conducted in 2016. It led to the development of a cybersecurity assessment and certification program for SMEs. Visit the Canadian government website.
• ITU’s National Cyber Security Strategies Repository: This resource maps out national policies, action plans, and other relevant resources reported by policymakers around the world. Visit the ITU website. 
• United Kingdom’s Active Cyber Defence: This resource was launched in 2017 to counteract cyber attacks. It led to setting up the National Cyber Security Centre and other programs. A recent study found a 20% reduction in UK-hosted phishing attacks in the 18 months after the strategy was adopted . Visit the UK government website.  
• United Kingdom National Cyber Security Center (NCSC): This center offers certified training in cybersecurity for businesses and professionals, along with advice and guidance on the topic. Visit the NCSC website.
• United States Cybersecurity Maturity Model Certification (CMMC): This framework looks to make accreditation affordable to small businesses to reduce their risks against certain cyber threats. Visit the U.S. CMMC.