One of my January forecasts for 2011 was that the need to encourage small and medium enterprises to implement security would finally be tackled. Judging by the current amount of activity in this area, I might have actually got this one right.
Earlier in the year the ISSA-UK published ISSA 5173, the world’s first SME (SMB if you’re in the US) security standard. This was quickly followed by the launch of a more ambitious (though more expensive) scheme by the University of Worcester and the NCC.
More recently the US government have announced the launch of a free, online tool, called the “Small Biz Cyber Planner“, which is intended to enable business owners to create a customized cyber security plan.
Throughout the year we’ve also seen an increasing number of vendors, including Qualys, Dell and Sourcefire, launch security products and services aimed at the SME/SMB market. Some vendors have also published white papers on the subject.
I’ve also noted increasing numbers of executive round tables and conferences being held to address this issue. I’ve attended two Computer Weekly events in London and Amsterdam in the last month. There’s an event tomorrow at De Montfort University, Leicester.
This is just the start. We can expect to see a lot more advice, standards and products aimed at SME security over the next year, including initiatives on Business Continuity Management. I’ll even be bringing out a book on this subject next year.
But don’t expect everyone to get it right. Big companies and regulators prefer to wave big sticks to secure their supply chains. Standards bodies believe the answer lies with a rewrite of big company standards. Consultancies prefer to think the answer is an expensive risk management exercise.
The most practical answer is to start from first principles and identify the minimum set of guidance for a small company with a limited budget and no expertise. Hopefully, the market will lead the way with practical products and services.