Corporate Governance and Cybersecurity: Key Strategies for SMEs

Luc Sterckx and Marc Vael shared valuable insights at GUBERNA's recent event, organised by the Sounding Board Committee for SMEs, start-ups, and scale-ups on 26 November 2024. Luc focused on corporate governance for SMEs, while Marc highlighted the importance of cybersecurity for directors working in SMEs.

Luc Sterckx kicked off the evening with a presentation on his new book, Corporate Governance from Startup to Scale-up, covering key principles, common pitfalls, and more.

Why this book and why now?

Corporate governance (CG) is not just for large corporations; it is equally vital for small and medium-sized enterprises (SMEs). Robust governance is a necessary condition for long-term success and growth. However, SMEs often face challenges in adopting CG practices due to the lack of practical guidelines tailored to their needs.

Corporate governance for SMEs remains a relatively new field. SMEs differ significantly from larger corporations in various aspects, including: limited resources compared to large organizations, time and budget constraints, limited knowledge and absence of reference points for governance, higher levels of uncertainty, risks, and rapid changes and cultural nuances.

So what are the Key Principles ?

 Corporate governance defines how a company is managed and controlled. At its core lies the Board of Directors (BOD), which plays a fundamental role in: setting the company’s strategy, overseeing operational control, upholding values and culture and finally ensuring compliance with legal and ethical standards.

Why do SMEs Need a Board of Directors (BOD) ?

Key benefits of a BOD include: providing a structured forum for sharing information, opportunities, challenges, and responsibility; acting as a legal safeguard and ensuring alignment with governance best practices and offering consistent messaging to stakeholders and reducing redundancy in communications.

Board Composition: Building a Balanced Team

  1. Shareholder Representation: Balance shareholder influence without direct duplication of ownership structures.
  2. Quality Over Representation: Select members based on expertise in business strategy, human capital, governance, finance, ethics, and SME dynamics.
  3. Complementary Skills: Avoid clones—diversity is key to synergy with management.
  4. Commitment: Members must dedicate the necessary time and effort.
  5. Chairperson Role: A strong, effective leader is crucial.
  6. Independent Directors: Include impartial voices to strengthen objectivity.

Common Pitfalls in SME Governance

Typical pitfalls often encountered are :  Governance is often seen as irrelevant or only for large corporations; short-term concerns overshadow long-term planning; shareholder disputes spilling into board dynamics

1

The way forward for SME Boards

To ensure productive board meetings one should have : 

  • a clear agenda, maintain regularity, and emphasize professionalism; 
  • start each meeting with a brief status update on marketing, sales, R&D, finance, and operations and
  • after that dive deeper into one strategic topic per meeting, such as budgeting, human capital, risks, or growth strategies

Balancing Priorities in Governance

Effective boards must accordingly maintain balance between: short- and long-term goals,  strategy versus not firefighting; stakeholder interests, such as founders vs. investors or employees vs. shareholders; financial stability and growth, ensuring sufficient funding for the future; creative freedom and operational control.

Communicating Effectively

SMEs must manage carefully relationships with key stakeholders such as : shareholders, banks, employees, customers and the public 

 

Resilience in turbulent times

SMEs face unique challenges such as financial instability, reduced sales, and the need for high employee motivation. 

In relation to these challenges the board can play a critical role in: restoring confidence, maintaining focus on values and quality, managing risks effectively and last but not least leading by example.

For a deep dive in his latest book, see this link.

 

Importance of cybersecurity for SMEs today and in the future

The presentation of Marc Vael  started with reasons why cybersecurity is relevant also for directors working in SME: information is valuable, digital is everywhere, customers expect it, regulations are increasing, cybercrime  and subsequent reputational risks are real to name a few.

The key for SME directors is not to focus on the technical risks related to cybersecurity in terms of confidentiality, integrity, availability and compliance, but to focus on how to reduce the potential negative business consequences from cyberincidents. 

The top 5 cybersecurity risks today at SMEs are primarily ransomware, supply chain risks, connected devices risks, people and budget. It is importance of identifying and addressing the top cybersecurity risks faced by SMEs.

There are not that many changes in the last 10 years in terms of cybersecurity focus areas.  The Belgian Cybersecurity Guide from FEB already focused on 10 key principles and 10 actions which are still valid today.

  • Principle 1: Look beyond the technology
  • Principle 2: Compliance is not enough
  • Principle 3: Translate your security ambition into an information security policy
  • Principle 4: Ensure top management commitment
  • Principle 5: Create a visible security role in your company and embed personal responsibility
  • Principle 6: Remain secure even when you outsource
  • Principle 7: Ensure security is an enabler for innovation
  • Principle 8: Keep challenging yourself
  • Principle 9: Maintain focus
  • Principle 10: Be prepared to handle incidents
  • Action 1: Implement user education & awareness
  • Action 2: Keep systems up to date
  • Action 3: Protect information
  • Action 4: Apply mobile device security
  • Action 5: Only give access to information on a “need to know” basis
  • Action 6: Enforce safe surfing rules
  • Action 7: Use strong passwords and keep them safe
  • Action 8: Make and check backup copies of business data and information
  • Action 9: Apply a layered approach against viruses and other malware
  • Action 10: Prevent, detect and act

The Center of Cybersecurity Belgium (CCB) also published its 10 golden rules for cybersecurity at SMEs which provide simple advice for anyone to follow in an SME.  The CCB also provides free security templates as inspiration. SMEs can even profit from specific cybersecurity subsidies

Obviously, directors at an SME need to be prepared if a cyberincident takes place in order to save time, energy, and stress. Identifying internal and external stakeholders is essential to notify in case of a cyberincident.

The main conclusion of the presentation is that directors in SMEs play a very important role and should review the core foundational elements of cybersecurity in order to avoid unnecessary cybersecurity incidents.

More information can be found here

  • 2
  • 4
  • 5