Helping small and medium-sized enterprises (SMEs) to secure their information is one of my passions. I’ve spent a good deal of my time over the last two years researching and presenting on this topic.
Computer Weekly recently hosted two executive roundtable dinner debates, in association with Dell SecureWorks, to discuss these challenges with IT directors from SMEs.
I was fortunate to be invited to the two recent events in London and Amsterdam. What struck me most of all was the level of sophistication and understanding of those attending. Information security is no longer the private territory of large organisations. Today everyone needs it, though there are huge differences in the size of the pockets and the resources available to address the problem.
Of course when it comes to data breaches it’s the big companies that grab the headlines. That’s not surprising as the business damage from a large breach can run into many millions. If you’re big enough, however, you can ride it out. Some companies, like US retailer TJ Maxx, can even come out ahead, aided by smart crisis management and increased attention to customer relations.
For small companies it’s a different story. A single breach and you could be out of business- and few people will notice or care. Yet we all need to care about small companies, because they are the engine of the UK economy. Small firms represent 99% of all enterprises, and employ the vast majority of the workforce. They are the “soft underbelly” of big business and critical national infrastructure.
Many SMEs are highly vulnerable to professional attacks because they lack the knowledge, motivation and money needed to secure their systems to the standards used by their bigger brothers. And the threat is coming their way. For some, it has already arrived. According to Symantec, 40% of targeted attacks are now directed at companies with less than 500 employees.
Unfortunately, security hasn’t traditionally been high on the SME agenda – especially not in an economic climate where going bust can be just a hair’s breadth away. Most small companies therefore regard security as a “grudge purchase”. Many see it as someone else’s problem, something outside their day-to-day experience.
That view needs to change because the business landscape is shifting. Big buyers are tightening up the security of their supply chains. Regulators such as the Financial Services Authority already require that third-party contracts include security conditions. The law is getter stricter about security; data protection expectations are becoming tougher. And every small business that processes credit and debit cards is now required to comply with the Payment Card Industry Data Security Standard (PCI-DSS), or face a substantial risk.
It’s natural that big organisations will seek to enforce their own security standards on their smaller suppliers. But that approach is misguided, because securing a small company is not the same as safeguarding a big enterprise. The difference is not so much in the security threats faced - which are generally the same and usually more damaging - but in the way enterprises think and operate.
Big company security relies on policy, committees, security managers and audits. These are things that don’t work, or even exist, in small companies. Small company thinking is more frugal and immediate, focused on customers, cashflow and the need to win business. SMEs prefer a 20% solution that fixes 80% of problems, based on practical countermeasures that do not demand specialist knowledge or skills.
Fortunately two things are emerging to provide a sensible way forward for SME security. The first is a gradual recognition by institutes and authorities that SMEs need a different security standard from big organisations. An example of this is the “5173” security standard recently published by the UK Chapter of ISSA (Information Systems Security Association) - the number was chosen because it’s closest in appearance to the letters “SME”.
Second, there is the emergence of managed security services that are cheaper and easier to use. Cloud-based services for example, can deliver professional, scalable services at affordable prices. For IT services there can be compliance risks arising from the uncertainty about where the data is held. But for security services there is advantage in having access to services that can respond quickly to changes and leverage a broader knowledge base of threats, events and responses.
Many big companies don’t trust the cloud for IT services because they can’t get the legal assurances they need for their regulators. They’re more concerned about the contract than the service. In contrast, small companies are more inclined to place their trust in a reliable brand name that is likely to operate to a security standard higher than their own.
Whether or not you elect to outsource your IT applications and services, the use of affordable, online, managed security services is a major benefit to a small or medium sized enterprise, both in cost savings and assurance. Affordable solutions are available now from leading vendors.
Managed security services are also a step in the right direction for SMEs who need to meet PCI-DSS or who are compelled by their customers to comply with the more demanding ISO27001 standard.
How can the professional security community help SMEs? The answer is simple. First, we should aim to reduce the red tape surrounding compliance for small companies. Good security is more likely to be achieved through the managing director walking around than by a portfolio of paper policies. And second, we should press security vendors to develop cheaper and easy-to-use solutions.
David Lacey is research director of ISSA UK, and a former chief information security officer at Royal Mail and Royal Dutch Shell. Read more of his views at David Lacey’s security blog.
This was first published in November 2011