Tackling the IT security and compliance challenges for SMEs

SME IT leaders discussed the cyber threat landscape and its impact on small and medium-sized businesses at a Computer Weekly roundtable


IT security and compliance is a challenge even for big organisations, but small and medium-sized enterprises (SMEs) face the same security threats with smaller budgets and fewer resources.

SME IT leaders met at a recent roundtable debate hosted by Computer Weekly, in association with Dell SecureWorks, to discuss the cyber threat landscape and the challenges they face around regulatory compliance, social networking, mobile devices, educating users and how to apply best practice.

Roundtable attendees included:

  • Don Smith, vice-president of engineering and technology at Dell SecureWorks
  • Gabe Chomic, IT security manager at Action for Blind People
  • Marcus East, CIO at Comic Relief
  • Richard Swann, head of IT at the Institute of Directors
  • Mike Jackson, head of ICT at accountant Frank Hirth
  • Stuart Ritchie-Fagg, information security analyst at Hermes Fund Managers
  • Katherine Coombs, IT director for Buying Team
  • Robert Bond, partner and chairman of the information security committee at law firm Speechly Bircham
  • Keith Searing, systems manager at the Registry Trust
  • Donald Bremner, IT director at Ecofin
  • Ray Titcombe, IT manager at the National Foundation for Educational Research
  • Stuart Grinnall, IT manager at Big Yellow Group
  • Alan Coburn, director of security and risk consulting at Dell SecureWorks

Cyber threats at SMEs

Don Smith, vice-president of engineering and technology at Dell SecureWorks, said there is a real gap in understanding of the scale of the cyber threat that organisations face. "On average we see two positive security incidents per week per customer. SMEs are exposed because they commonly have no full-time security staff and can't track the security landscape," he said.

The challenges are exacerbated by a changing landscape, with the advancement of cloud, software-as-a-service, unmanaged devices and increasing mobility, said Smith. No-one can be completely safe, he said, but SMEs can advance protection by acquiring a strong understanding of their external web presence and ensuring it is secure by undertaking penetration testing and minimising exposure by taking action such as regularly updating security patches.

One of the biggest threats to SMEs can be the understandable need to get things done at the cost of proper IT administration and governance, said Gabe Chomic, IT security manager at Action for Blind People.

"The pressure to get a new service running can prove a huge threat as the holes do not necessarily get closed later," he said.

Marcus East, CIO at Comic Relief, suggested talking to similar organisations to help tackle the cyber threat. "Don't religiously accept what vendors tell you. Talk to each other," he said.

SME culture and user education

Richard Swann, head of IT at the Institute of Directors, said information security is not solely an IT issue, and that needs to be emphasised across the organisation. "Everyone in the business needs to be aware of information security - not leaving their laptops on trains or having insecure passwords," he said.

But Mike Jackson, head of ICT at accountant Frank Hirth, said the role of IT leaders is still vital. "Don't underestimate the power of our role in getting users to stop and think. Their vigilance is very important. It's not just educating them; it's also communication. Common sense is very important."

Chomic agreed that culture and communication are key. "In most circumstances, you can't rely on technical control," he said.

Stuart Ritchie-Fagg, information security analyst at Hermes Fund Managers, said employees are central to effective IT security. "People are the main point. The focus is too much on technical security; you have to put the emphasis on awareness," he said.

Compliance issues

SMEs are often overwhelmed by the sheer volume of regulatory compliance around security, with PCI-DSS (payment card industry data security standard) seen as a particularly expensive headache for many.

"PCI-DSS is a pain. It can be a six-month project costing tens of thousands of pounds. Who knows what it means for smaller organisations, but if you are not compliant it can mean another 4p on each card transaction," said Swann.

SMEs can also face difficulties in understanding what they must comply with, said Katherine Coombs, IT director for Buying Team. "There is the Data Protection Act, but what else should I be compliant with? You can't always trust one source as changes come out," she said.

Chomic said there are challenges in staying up to date with the regulatory environment, which vary from business to business. "There will be different concerns, but ask key questions such as: What is your business? What do you worry about? What have you got to be compliant with?" he said.

But Robert Bond, partner and chairman of the information security committee at law firm Speechly Bircham, pointed out that compliance is often non-negotiable: "When your largest customer says 'jump', you jump," he said.

Chomic said he is seeing situations where standards are being pushed down the supply chain to smaller suppliers who have little ability to push back, but recognition of this issue is growing. The fact that there is no single place to go for guidance has been recognised, but with many organisations vying to be that one place, "at best it's counter-productive", he said.

Keith Searing, systems manager at the Registry Trust, highlighted that even if an organisation thinks it has met its compliance obligations, things can go wrong. "For example, there was a report that said all due processes were complied with in the 'Baby P' case. This shows it is the spirit of what you are trying to achieve that is important. You need to get hearts and minds involved," he said.

Mobility and consumerisation of IT 

Donald Bremner, IT director at Ecofin, said a pragmatic approach is the best way to deal with mobile security. "BlackBerrys are the most commonly used devices, but now we have iPhones, which I don't think are as secure, but we have to let people use them," he said.

Chomic said it is possible that if you take security too far, you get none of the benefits of the mobile platform and the users will get around the security tools anyway. "It is a very difficult balancing act to get right when the technology is something the users love," he said.

Ray Titcombe, IT manager at the National Foundation for Educational Research, said: "We are all facing similar problems - increasing mobility and mobile devices and the pluses and minuses of social networking."

Stuart Grinnall, IT manager at Big Yellow Group, called for more best practice around mobile security. "There are new devices coming out all the time; you can't standardise anywhere, so how can you implement a secure system without saying no to every request?" he said.

SMEs taking responsibility

All too often, senior executives only take responsibility after a security breach has happened, said Alan Coburn, director of security and risk consulting at Dell SecureWorks.

"They react to a problem, but the push-down can be expensive and difficult to adhere to," he said.

Comic Relief's East said the business case for security needs detailed consideration. "For example, with the amount of money we take, we must invest in PCI compliance. But the question is, who do you turn to? You need a level of stability with suppliers and skills within the organisation," he said.

East said a security breach will have "a double whammy" if action is not taken, because of the negative effect on corporate reputation. 

"Sometimes top leadership doesn't understand the issue. Whatever it costs, everyone needs to understand what the security risks are so they can decide if the cost is necessary and what the implications are if they don't take action. Just because information security is complex, you can't bury your head in the sand," he said.

Dell's Smith said that, in deciding what security products to put in place, organisations need to decide what data they have, where it is and why they need to protect it. 

"If you know the answers to these questions about your data assets you can have a good conversation with your providers," he said, adding that it had been shown that, as the maturity of an organisation grows, they spend less, not more, because they spend more effectively.

"If you follow a pragmatic approach, you get an answer in plain English and you have a language you can use with senior stakeholders in the organisation," said Smith.

East said CIOs must take responsibility for leadership. "You can't expect non-experts to lead because they do not understand the issues. This is a good example of where technologists have to step up to the plate," he said.

However, Bremner said business leaders should have legal responsibility for information security. "Ten years ago, IT was responsible for disaster recovery. Now the Financial Services Authority has moved that responsibility on to the chief financial officer (CFO) so it is a business issue. I think the CFO should take responsibility for information security," he said.

"Research on business has shown that where CIOs can help with security, IT security can become a business enabler," Chomic said.

ISSA UK: Helping SMEs with information security

Gabe Chomic, IT security manager at Action for Blind People and director of partner development at ISSA (Information Systems Security Association) UK, said too few SMEs were thinking about security.

Analysis undertaken for the information commissioner in 2010 revealed that very few SMEs think about IT security at all, especially in "micro businesses" with fewer than 10 staff.

"Many regard it as inordinately complex and believe it is easier to get on with the everyday business than think about security," said Chomic.

The findings are disturbing, considering that SMEs comprise a significant proportion of the UK economy.

"SMEs have resource constraints, but that does not mean the security challenges go away. The report highlighted the soft underbelly of the UK economy," said Chomic.

"SMEs are not sure what regulations they need to comply with, while they are faced with too many compliance requests," he said.

Increasing mobility is another factor and a substantial issue for large or small enterprises.

SMEs also have the challenge of facing too many suppliers selling security and telling them what to do to comply with regulations such as PCI-DSS or the Data Protection Act, said Chomic.

"Unless you are a lawyer or a security practitioner, how do you figure it out?" he asked.

ISSA UK is attempting to resolve the complexity by raising awareness of information security.

"ISSA is trying to point out to organisations, even micro-sized ones, that it is not necessarily a technical issue, and encouraging them to spend a few minutes thinking about the major risks," said Chomic.

The security group is pushing out an information security standard (ISSA-UK 5173) that SMEs should consider. A key principle is basic security measures.

"Even if you are a micro enterprise, you need to patch your computers and ensure everyone in the organisation thinks about it," said Chomic.

As an SME grows, it needs a more formal approach. "An organisation of 250 people should have a written security policy. ISSA is attempting to lead organisations towards being prepared and ready for information security as they grow," said Chomic.

He said there is also a focus on encouraging SMEs to think about how they can minimise risks, so the risks do not become such a large liability they don't even want to think about it.




Read more on IT risk management