More and more companies are registering for NIS2, but it’s mainly SMEs that are lagging behind. How can we guide them through the security landscape?
“If you want to remain part of the ecosystem as an SME, you have to ride the NIS2 wave,” begins Bart Loeckx, Director Networking & Security at Telenet Business. SMEs often encounter difficulties such as lack of knowledge and budget to set up their IT infrastructure in compliance with NIS2 regulations.
During a roundtable discussion organized by ITdaily, experts in the field consider a joint solution. “We need to bundle the fragmented expertise within the market and bring it to the SMEs,” says Johan Klykens, Cybersecurity Certification Authority (NCCA) at the CCB.
Also at the table are Ron Nath Mukherjee, Cybersecurity Consultant at Eset, Sabine van Hoijweghen, Head of Sales and Partner at Secutec, and Patrick Banken, Business Development Manager at Kappa Data.
To register or not?
Meanwhile, the first phase of NIS2 has started, namely registration. “At the moment, it’s still unclear how many entities need to register,” says Klykens. He presents the current figures: “1,500 essential and 2,500 important entities have registered in Belgium today. These numbers are currently higher than we initially estimated.”
The first phase already proves to be a stumbling block for many SMEs. “Many small businesses are caught off guard and don’t know if they even need to comply with NIS2 regulations,” is the consensus around the table.
Klykens finds this surprising, however. “The CCB acts as a lever for every organization. SMEs can ask us via email if they fall under the NIS2 regulations, to which we can immediately give a clear answer,” he notes.
Evangelizing
Most SMEs are taking a wait-and-see approach when it comes to NIS2. Mukherjee: “At Eset, we notice that SMEs in Wallonia are taking a very cautious stance. A year later, we still need to evangelize there.”
Banken adds that this is not only the case in Wallonia, but also in Flanders. “We notice an increase in, among other things,
Van Hoijweghen also emphasizes the lack of awareness among SMEs and distinguishes between two types of companies: “You have organizations that have always taken security seriously and see the directive as a logical next step where top management also takes responsibility, and companies that now suddenly have to make a leap forward but lack the people and budgets to do so. For the latter group, this often leads to uncertainty or even panic, because they have never structurally engaged with cybersecurity before.”
Knowledge and costs
According to the participants, the lack of knowledge and high costs are at the root of the uncertainty among SMEs. Some small businesses simply don’t have the financial means to invest in their IT infrastructure, or don’t know what to invest in. “Companies can choose solutions that cost half a million euros or a simple license update of a few euros that includes the standard configuration. SMEs lack the right knowledge to make a cost-effective choice,” says Klykens.
Cybersecurity is still too often seen as a purely IT problem.
Patrick Banken, Business Development Manager at Kappa Data
“Moreover, cybersecurity is still too often seen as a purely IT problem, while it’s actually a company-wide risk,” says Banken. “Within SMEs, cybersecurity is still viewed at the C-level as a purely IT problem, while that’s no longer the case today. It’s important that we also create awareness within management.”
Setting priorities
“If you don’t know what to protect, where do you start?” Loeckx asks. He points the participants to a
You’re not investing in NIS2, but in your business continuity.
Bart Loeckx, Director Networking & Security bij Telenet Business
“What do I need as a company tomorrow to continue my activities?” Loeckx begins. The answer to this question contains your priorities as a company. He clarifies this with an example. “A catering company that suddenly loses all contact details of its customers, and consequently doesn’t know what and where to deliver, that information is priority for the company to carry out its activities.”
Van Hoijweghen also emphasizes the importance of setting priorities. “Every company is at a different maturity level in terms of security. It’s important to analyze which loose elements are present and then extract the priorities from them. You can’t tackle everything at once,” she states. An advisor can help the SME determine step by step which measures are needed and how they can be realistically implemented.
Ecosystem of partners
“SMEs often work with a trusted IT partner,” says van Hoijweghen. As a result, they will be less inclined to work with a separate cybersecurity specialist. Secutec responds to this by deliberately positioning itself behind these IT partners.
The SME’s IT partner attaches their wagon to us and we provide the necessary information.
Sabine van Hoijweghen, Head of Sales and Partner at Secutec
“We provide the necessary knowledge, tools, and feeds so that the partner can guide their client well, without having to have all the security expertise themselves,” she explains. This way, the SME retains the familiar point of contact, while Secutec guarantees support in the background.
Joining forces
The expertise within the market is fragmented. Mukherjee experiences this mainly within government services. “We often get asked by cities and municipalities if there’s a shared solution because they can’t see the forest for the trees.”
Everyone around the table agrees on a joint approach to get SMEs on board the NIS2 train. Klykens talks about a collaboration between security companies and IT suppliers to offer a certified service to SMEs. “Especially for small businesses with barely ten employees who know nothing, and don’t need to know anything, about IT but are just looking for a solution,” he states. This is a next step where the CCB will work very concretely together with the actors.
Managed services are also put forward by Banken as a solution for SMEs that don’t have the in-house knowledge to set up their IT infrastructure in compliance with NIS2. This way, SMEs can rely on continuous monitoring, patching, and follow-up without having to build an internal security team.