Firms that plug into critical infrastructure will face tighter scrutiny as suppliers

The definition of critical infrastructure has extended in recent years, and while few mid-tier or smaller businesses fit the definition, almost all of them intersect with organisations that do.

According to Dane Meah, co-founder and board director of InfoTrust, this means new obligations and requirements for organisations that typically plug into critical infrastructure supply chains. He spoke to Digital Nation as part of a minidocumentary and cover story on critical infrastructure.

"We traditionally think of critical infrastructure businesses as the large behemoths who usually have much larger security budgets easily dedicated function and a whole breadth of capability to deal with the challenges of maintaining a secure environment. "

But many smaller and mid-tier businesses also face managing a raft of changes due to legislative amendments, he said. "That's going to mean a lot of obligations for these businesses that just really aren't equipped to deal with those."

“What I'm seeing across the industry at the moment is, you know, cybersecurity used to be a real focus and priority for the real top end of town, that's now moved firmly into mid-market and into the SMB, right the way down to small businesses,” says Meah.

As the scale of critical infrastructure expands, many organisations will need to approach cybersecurity differently, he said.

Taking a fundamental approach to an organisation's cyber-security is the first priority, he says, warning that organisations need a top-down approach. That also means educating individuals at all levels of the business, observing and understanding business processes and knowing what your risks are.

He told Digital Nation that business leadership understanding this area is improving, especially concerning the impact of failure.

“The maturity of leadership across the board is advancing all the time. We're often seeing that security programs are driven from the board, where perhaps in the past, it was an IT led initiative,” says Meah.

“That's showing that there's a real maturing in that space. And the way that we see that as a cybersecurity consulting business is we're doing a lot of maturity assessments for businesses, we're supporting and creating cybersecurity strategies to support those businesses on the journey.”

“We're looking at how can we create more accessible solutions that allow smaller businesses to go on a maturity journey, but without necessarily having to have expensive staff or resources on a regular basis.”