Security Think Tank: Making SME information security affordable

How can SMEs afford security that is good enough?

The adage that security is expensive pales in comparison with the rising cost of data breaches. According to The Global State of Information Security Survey 2015, the global annual estimated reported average financial loss attributed to cyber security incidents was $2.7m, an increase of 34% from 2013.

With these increasing costs in mind, information security is a business imperative, no matter the size of the enterprise. A risk-based approach to information security can help drive investment decisions and keep costs down for small-and-medium-sized enterprises (SMEs).

The first step is to understand what is important to the business, including its industry niche, commercial strategy and what it delivers to clients. This understanding helps to identify the processes, systems and information that are critical to business success, as well as risks to those assets.

Building on this understanding, the Information Security Forum (ISF) suggests a number of initial steps:

•        Inventory and classify business-critical information to help prioritise information security activities and investment.

•        Identify and assess threats and vulnerabilities to business goals, then agree risk-treatment options.

•        Implement baseline security controls, such as those covered in the Standard of Good Practice for Information Security, the Cyber Essentials scheme, the Sans Institute top 20, the Australian Defence Signals Directorate top 35, the UK government's 10 steps to cyber security, and so on.

•        Establish and/or adopt bring-your-own-device (BYOD) best practices to secure information in the user environment.

•        Evaluate cloud services for handling of non-critical information.

•        Cultivate a security culture based on changing behaviour rather than increasing awareness.

Security matters not only for SMEs, but also throughout the supply chain of organisations that contract with SMEs.

Failing to invest in the basics leaves SMEs and their partners vulnerable to attackers and less capable of detecting incidents. Security is important, and investing in it does not need to break the bank.

Victoria Melvin is a senior research analyst with the ISF.

Read more on Hackers and cybercrime prevention