Security for small businesses

One of my January forecasts for 2011 was that the need to encourage small and medium enterprises to implement security would finally be tackled. Judging by the current amount of activity in this area, I might have actually got this one right.

Earlier in the year the ISSA-UK published ISSA 5173, the world’s first SME (SMB if you’re in the US) security standard. This was quickly followed by the launch of a more ambitious (though more expensive) scheme by the University of Worcester and the NCC.

More recently the US government have announced the launch of a free, online tool, called the “Small Biz Cyber Planner“, which is intended to enable business owners to create a customized cyber security plan.

Throughout the year we’ve also seen an increasing number of vendors, including Qualys, Dell and Sourcefire, launch security products and services aimed at the SME/SMB market. Some vendors have also published white papers on the subject.

I’ve also noted increasing numbers of executive round tables and conferences being held to address this issue. I’ve attended two Computer Weekly events in London and Amsterdam in the last month. There’s an event tomorrow at De Montfort University, Leicester.

This is just the start. We can expect to see a lot more advice, standards and products aimed at SME security over the next year, including initiatives on Business Continuity Management. I’ll even be bringing out a book on this subject next year.

But don’t expect everyone to get it right. Big companies and regulators prefer to wave big sticks to secure their supply chains. Standards bodies believe the answer lies with a rewrite of big company standards. Consultancies prefer to think the answer is an expensive risk management exercise.

The most practical answer is to start from first principles and identify the minimum set of guidance for a small company with a limited budget and no expertise. Hopefully, the market will lead the way with practical products and services. 

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Good to see ISSA 5173 gearing governance requirements to the nature and resources of small business. You wouldn't hold a teenager accountable to standards of an adult, would you? (OK, a great fantasy but doesn't work in the real world as all parents know. Same with small businesses.) Your comment is right on, "Hopefully, the market will lead the way with practical products and services." My area of expertise is with just such a practical solution, one which I've helped hundreds of small businesses implement: Employee computer monitoring and insider data protection - especially for laptops disconnected from the network. I find it's usually after the horse has left the barn that small business get serious about finding a solution to lock the doors. You said it well, "Most small companies therefore regard security as a “grudge purchase”. (Quote came from your on-the-money article Glad I came across your blog David. You know your stuff. I'll be following.