Best practice in information security and compliance for small and medium-sized enterprises (SMEs) is often seen as a headache and a "grudge purchase", but SMEs are facing the same threat landscape as larger organisations - but without their budgets.
SME IT leaders met at a Computer Weekly roundtable event, in association with Dell SecureWorks, to discuss the challenges they face around data protection, compliance and the cloud and how to make their organisations secure without following expensive, outdated methods.
The cloud is a technology many SMEs are interested in because of the benefits of flexibility, pay-for-use and reduced hardware investment. But there remain questions over its security.
David Lacey, director of research at the Information Systems Security Association (ISSA-UK) said the cloud is a good solution for SMEs if they choose professional, reliable service providers.
"Big companies don't like the cloud as they can't get legal assurance from the regulators," Lacey said.
However, Alan Coburn, director of security and risk consulting at Dell SecureWorks, is more sceptical.
"Who's responsible for security in the cloud? It is a personal decision, but I am very wary of putting personal information into the cloud," Coburn said.
Steve Nicholls, technical architect at Ingens, said there had been no major security breach of the cloud, but it could only be a matter of time as cyber criminals wait for the right moment to strike.
"There have been no security scares yet as hackers want everyone to put all their data in the cloud and then do a land grab and get out, which is why it's quiet for now," Nicholls said.
Compliance is a painful process for many SMEs. The Data Protection Act and PCI-DSS payment card regulations were criticised as time-consuming and expensive.
However, there is no avoiding compliance, even if it does not necessarily lead to better security.
"Before, compliance was not expected but now it is an issue. The world of compliance is not security - it's a mad world," said Lacey.
Peter Vangeen, owner of Corporate Chauffeurs, is going through PCI-DSS compliance because his bank asked him to do so.
"It is a lot more complicated than I thought. I have a 48-page document with the best part of 400 questions. I started at question one and gave up at question seven. The whole process for SMEs is very difficult, is huge and costs money and I wonder how different security will be at the end from how it is now," Vangeen said.
"Compliance is about covering yourself, passing on the problems and ticking all the boxes," he said.
"I'm running a business. Reading through 400 questions that are meaningless to me is not a way to spend my time. I want to look after customers which I have done for 20 years without a security issue. The tick-box culture large companies perpetuate and wrap up in corporate speak is meaningless for SMEs."
But Eamonn Sheridan, IT director at Citybond Holdings, said: "If you wade through security guidelines, there are good practices."
Dell's Coburn said he can see why PCI-DSS was created - because organisations are not putting the necessary controls in place - but said SMEs should work with trusted advisors on compliance.
"One organisation asked us how much is too much credit card data? But the standard doesn't prescribe how much is too much. That organisation had been given different advice which could have cost them hundreds of pounds," Coburn said.
SMEs should try to understand where their assets are and focus security controls there. "It is better than a scattergun approach," he said.
Andy Bover, head of ICT at finance company 1st Credit, agreed it was important to get the right advice.
"Be wary of any consultant who doesn't ask you why you need to hold credit card data. There is very little business case for retaining cardholder details," Bover said.
However, the main benefit of compliance is to get the attention of the board, because the CEO must sign a top-level policy document to ensure confidentiality and integrity to comply with standards such as ISO 27000, said Bover.
"It is signed by the chief executive and if a weakness is found, the chief executive is in court. This is positive, as it means my chief executive will commit to IT expenditure to see it happens, and will say to the CFO, you need to spend money on that," he said.
Like many IT security firms, Dell SecureWorks is constantly surveying the changing threat landscape. Coburn said SMEs are increasingly being targeted, but many believe they are under the radar and not in the sights of cyber criminals.
"Malware is becoming more sophisticated. Aurora and Stuxnet are very sophisticated, all targeted at siphoning financial information," he said.
Dell SecureWorks trawls the internet and monitors hacker forums to work out the next threat to protect its 3,500 clients' security.
"We see on average about 50 security events per year per customer which we have to phone or alert someone to. That's an event every week. If you're not getting a call, are you any different from those organisations?" Coburn asked.
Ian Crofts, IT director at JBW Group, said revenge hacking is also a worry.
"It's easy to annoy someone enough to make them want to target you," Crofts said.
Lacey said organised crime and intelligence services are increasingly targeting smaller companies and looking for useful information about contracts: "There are a large number of targets and criminals are going broader and deeper."
Bover said most SME IT professionals understand the risks, but their struggle lies in convincing senior executives of the threat.
"They would give you a different answer about being small enough to be below the threat radar," he said.
Constant education and training around IT security is necessary to help reduce human error.
Vangeen said that, even after achieving PCI-DSS compliance, access to credit card details can occur if someone writes them down on a piece of paper and chucks it in the bin. Staff are trusted, but no company is inviolate.
"There's nothing the industry can do to solve the problem. Human error lets security down," he said. "Human error means that someone will always walk out of the building with an unencrypted laptop."
Bover said the only answer is to remove the opportunity for people to make mistakes: "We have no pens or papers in the call centre. Everything is written on whiteboards which are wiped clean."
Josko Grljevic, IS director at Thetrainline.com, said: "You can have the best technology in the world, then someone has a chat with the receptionist and gets everyone's details."
Coburn said awareness and education are essential parts of security.
"Most secure organisations spend time and money on staff. Until you start training awareness, you are not a secure organisation. Common sense only becomes common sense when you know the right thing to do. Organisations that do it well take the pragmatic approach and do it often without making it boring," he said.
Lacey said training is more important than security qualifications, which are often just a licence to operate.
"I believe in training and education, not qualifications," he said.
Coburn said security improvements can pay dividends - but don't overdo it.
"Don't try and implement controls of big City organisations," he said.
"Understand your environment. The challenge is if you have a lot of infrastructure, it is difficult to focus, but start small where you are worried about infrastructure protecting assets that might be targeted."
David Lacey is an information security expert with over 30 years' experience working as a chief information security officer for organisations such as Royal Mail, Shell and the Foreign & Commonwealth Office.
To combat some of the issues SMEs face, the Information Systems Security Association (ISSA-UK), where Lacey is director of research, is creating a new security standard for small businesses, called ISSA5173.
"SMEs are different from large organisations, not in security threats which are the same, but more in the way they operate. SMEs don't need paper and labour-intensive controls that big companies like. The new standard suggests looking at policies, procedure and education," Lacey said.
Lacey said the pressure on SMEs is to grow their business and security is often low on the to-do list.
"Small companies lack knowledge, motivation and money. Security is a grudge purchase and someone else's problem, but the vast majority of UK business is made up of SMEs. They are the soft underbelly of business," he said.
Lacey said SMEs will have to get to grips with security because compliance and data protection are high on the agenda of the government and big companies.
"Large businesses are increasingly demanding security and SMEs must get PCI-DSS compliance, for example," he said.
Meanwhile, the security landscape has changed out of all recognition with the impact of the internet and an increasingly mobile workforce, which has transformed the way people communicate.
"The future of security is complex. We are facing a data Tsunami with a 60% growth in mobile data. The threats are more sophisticated, data breaches more damaging, users have left the buildings and the applications have followed," said Lacey.
There has been an increase in data legislation around the world because it is citizen-friendly and cheap, but reliance on standards and a herd-mentality towards security is leading to a world of compliance and policies, which doesn't necessarily improve security, said Lacey.
"Auditors judge against security standards that are outdated, and security is judged on the quality of paperwork and procedures," he said.
SMEs must avoid following the example of big corporations.
"Big-company thinking is about maximising the security budget, whereas SMEs are frugal, and must think about the customer," said Lacey.
"SMEs require fast cost-effective control measures and solutions that are easy to manage."
He suggested SMEs use risk-management to support decisions, not shape them: "Focus on protecting data and standardisation and use independent advisers to manage your interests."
This was first published in November 2011