Security for Small/Medium Sized Organisations

Earlier this year I conducted research, on behalf of the Information Commissioner’s Office, into the security requirements of small/medium sized enterprises, working with Barry James, a developer of security solutions for the SME sector. The ICO has now published the research report Review of Availability of Advice on Security for Small/Medium Sized Organisations.

The reality if that few SMEs implement information security. Yet many of them handle sensitive information. Persuading them to improve their security is a major challenge, but it needs to be tackled. The solution demands a fresh approach to SME security, including more appropriate advice, standards and incentives. The research report makes a number of recommendations, which are now being pursued by a working group of ISSA-UK, as well as by a number of government agencies.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

David, most of the SME's I talk to are implementing some form of information security (thats usually why they are talking to me). However, of the SME's who are not seriously implementing security the reasons given are that they simply do not understand what should be done. Another problem is that the terminology of many sources of security information may be unfamiliar to the average person. Many managers will immediately loose interest if you start discussing an Information Security Management System. It apparently sounds difficult, complex and expensive making beyond the reach of most SME's with limited resources. I think a different simpler approach is needed as the current BS and ISO security standards are largely unsuitable for SME's.
David, I heartily agree with both you and Andy and see the same thing myself. The usual reasons for there being no real appetite for implementing information security come down to unfamiliarity with the subject and the cost of implementing the one thing they do recognise - the ISO standards. Cost also features when an SME calls in a consultant, especially when the SME has no idea what needs doing or how to do it, and the consultant is looking to offer value for money without being able to get a clear idea of scope from the client. The main problem is one of scale: An ISMS is a large and unweildy beast that can be difficult to keep under control without the significant investment of time and effort. The answer to the issue of scalability must therefore be incremental and layered, explained in simple language, and be able to be implemented without degradation of the primary purpose of security; a proportionate response to relevant threats aligned with business goals. Of course, the obvious value you get from the likes of 27001 is an independant verification of your implementation, so the solution needs the same sort of scrutiny if it is to have true value.