Security Think Tank: SME security questions to consider

How can SMEs afford security that is good enough?

It is easy for small and medium enterprises (SMEs) to consider themselves below the radar when it comes to cyber security. Unfortunately SMEs have no immunity against automated tools scanning the internet for vulnerable systems or fraudulent behaviour by trusted members of staff.

SMEs also often find themselves supplying goods or services to larger, higher-profile organisations; attackers may see an SME supplier as a weak link in the larger organisation's security environment.

In practice, SMEs are resource-constrained and they cannot usually afford dedicated security staff, never mind the technology such staff deploy. So, what can SMEs do to effectively manage the risks they face, while enabling the business to enjoy growth free of the shackles of overly constraining security controls?

First, SMEs need to assign the task of looking after their security to a named individual and give them a suitable incentive – and sufficient authority – to succeed. 

Second, SMEs need to understand which of their information assets – data and/or systems – are critical to their business. There is then a need to consider what risks are most threatening to the SME: Is it loss or leakage of customer data? Lack of availability or integrity of data or systems? 

Answers to these questions can drive appropriate investment in the areas that matter – rather than the areas the suppliers tell SMEs matter!

Where and how you hold data

On a practical level, consider how much data you hold and how dispersed that data is in your business. Can you hold that data more centrally (and backed up), so you can concentrate your efforts and investment there? This is particularly relevant when talking about customer data. 

You can also lower your risks by collecting the least amount of data necessary to fulfil customer obligations. This has the added benefit of bringing you in line with one of the principles of data protection and making compliance with payment card industry standards more straightforward to achieve. 

The security benefits of cloud

Consider the use of cloud services – running on a cloud 24/7 may not be any cheaper than running on-premises, but if you do not have security expertise locally, a suitably assured cloud alternative is likely to be more secure (particularly if using software as a service). If you are not convinced, reconsider this question after the next Patch Tuesday – when cloud consumers can relax while you are busily patching your servers

Cloud also offers an extremely cost-effective mechanism for hosting your backups and archives – there really is no excuse for risking your business through the lack of an off-site copy of your data.

Free government advice

The government has released some very helpful guidance aimed at all UK businesses, but particularly relevant to SMEs in the form of the 10 Steps to Cyber Security document and the associated Cyber Essentials certification scheme. 

The latter provides the five basic areas of security all organisations should address, to significantly reduce their overall risk. This includes educating your staff, who can be your greatest strength or your greatest weakness: Encourage good security behaviour and you can avoid many security pitfalls. 

Remember, buying technology is not always the only (or right) approach.

Lee Newcombe is a member of (ISC)2 and a senior manager, information protection and business resilience at KPMG. 


Read more on Hackers and cybercrime prevention