ISSA standard aims to improve small business IT security

ISSA is crafting a small-business standard to improve information security, but one group questions whether a single standard for all small companies makes sense.

The UK branch of the Information Systems Security Association (ISSA) is planning a new standard to help smaller companies improve information security.

The new standard, currently codenamed ISSA-5173, aims to provide security guidance to companies with fewer than 250 employees, which account for 99% of the British workforce, and which rarely have the resources to tackle security in a serious way.

The effort is led by David Lacey, ISSA UK’s director of research, who was one of the principal authors of what has now become the ISO 27001 information security standard.

Lacey said he was originally appointed last year by the Information Commissioner’s Office (ICO) to look at what information was available to help SMEs look after personal data.

“We found that the information is not very good; it is fragmented and it is in the wrong places,” Lacey said. “ICO is worried about the level of information for SMEs. Even Get Safe Online is not really suitable -- it talks in terms of plans and documents, which is not helpful.”

He added that available information for small businesses is scattered around different websites, and none of it covers areas important to small business IT security, such as the Payment Card Industry’s Data Security Standard (PCI DSS), which applies to any companies handling payment card information, including small ones.

“A lot of the advice is not suitable,” Lacey said. “It’ll tell you how to pick a good password, but it doesn’t tell you how to manage a couple of hundred different passwords.

 “We need to build a new standard from a blank sheet of paper, around what SMEs could be persuaded to do,” Lacey said. “At the moment, they see security as a grudge purchase. They think it’s someone else’s problem.”

Some believe the best approach is to create a cut down version of ISO 27001 for small businesses, but Lacey said those efforts are misguided, and would be viewed merely as “pages of treacle and waffle” to most hard-pressed managers of small businesses. 

“Most advice is aimed at big companies that have committees and auditors,” Lacey said, “but the small companies don’t have time for security strategies and management systems. They are too busy chasing the money in order to stay in business.”

The aim of ISSA-5173 will be to provide a tiered approach, starting with a basic set of actions that any company should take to protect its data. Ideally, this should be something a company can do without any additional IT costs. “We don’t want to put people off with expensive certification and consultancy,” Lacey said. “The worst thing would be to present them with more costs.”

The standard will then provide for companies to build their security as they grow, adding a few simple rules and then putting in a simple management system appropriate to their business.

Working on the principle that some security is better than none, the aim of the standard would be to make it easier for small businesses to avoid the most basic mistakes, and avoid causing further damage to other organisations they deal with. “It’s very important, because SMEs are currently the soft underbelly of the economy,” Lacey said.

The draft  ISSA-5173 standard is available to download, and ISSA says it hopes to incorporate any feedback into a final version by the summer.

According to Lacey, the development of the standard is just the first stage, and improved outreach to make sure the message gets home to businesses will need to follow. In addition, the ISSA intends to look at building incentives to encourage better security, which could include lower insurance premiums for businesses with a security plan, or advice channelled through financial advisers and bank managers.

“Our goal is to produce better and more compelling guidance that resonates with SMEs. So we’re looking at the incentives, and the psychology and how to reach them,” Lacey said.

“We need to work with organisations such as the Federation of Small Businesses and the BusinessLink network, which are where small businesses would normally go for help,” he added.

The FSB welcomed the ISSA standard as “a positive initiative, given that it's specifically tailored to SMEs and will sit alongside other standards such as 27001/2 and 9001,” said the FSB in a statement.

But it warned that businesses with 10 employees or fewer have different needs from those with up to 250 employees. “Any standard really depends upon each business applying it in an appropriate way to its type of business. A micro business may only need to take very basic steps to ensure good IT security,” it said.

The FSB statement also relayed that the FSB has already collaborated with the Fraud Advisory Panel, National Fraud Authority and the National Identity Fraud Prevention Week Campaign on straightforward guidance for small businesses regarding protecting their IT systems. “We have made this available via links on our website and via our publications, in addition to signposting members to the information available at Get Safe Online.”

Read more on IT risk management