The Information Systems Security Association (ISSA) in the UK has published a proposed new security standard for...
SMEs in response to its 2010 research report on SME security for the UK Information Commissioner's Office.
ISSA is the largest not-for-profit, international organisation for information security professionals and practitioners.
The proposed standard aims to consolidate the most up-to-date best practice information to make it easier and faster for SME owners to find and apply it.
The new draft standard (ISSA 5173) is based on a year's work by 30 ISSA members who looked at security best practice for companies with 250 or fewer employees.
"The draft standard is an important breakthrough in securing our critical infrastructure and supply chains," said David Lacey, director of research at ISSA UK.
In a blog post, Lacey said the standard was a much more compelling, relevant and simpler guide to security for small organisations than existing standards such as ISO 27001.
According to the BSI's Small and Medium Enterprise Statistics, SMEs account for 99.9% of all businesses in the UK and 49% of total business turnover, yet often treat esecurity as a "grudge purchase" or do not realise the need for compliance with key legislation.
This reflects different attitudes between large corporate and small businesses, said the ISSA, with large organisations tending to have a long-term focus, driven by corporate policy and compliance, while most SMEs focus on frugal spending, cashflow and the need to win new business.
The ISSA highlights that legislation such as the Data Protection Act applies as much to SMEs as it does to large corporations in the UK.
Similarly, any company that accepts payments by credit card also needs to think about PCI-DSS compliance.
The need for SME action, said the ISSA, was illustrated in the 2010 Information Security Breaches Survey.
The survey showed that while 35% of small businesses surveyed had suffered a malicious attack in 2008, the figure rose to 74% in 2010.
Similarly, the average number and cost of a security breach in a small organisation rose from an average of six incidents, with the worst costing an of average £20,000 in 2008, to 11 incidents in 2010, with the worst costing £55,000 on average.
The new standard for SMEs is available for download and review. The ISSA plans to publish a report on feedback from stakeholders in coming months.