Security Think Tank: SMEs should put information and people at heart of security strategy

How can SMEs afford security that is good enough?

With limited budgets and resources available, SMEs need to ensure their security strategies are proportionate, pragmatic and cost-effective, as well as fully supporting the organisation's strategic business objectives. 

Many businesses feel their information security strategy does not meet their organisational needs, but having a good framework to start with will help the business as a whole, and will also support cost-effective use and procurement of technology and other security requirements.

It is vital that top management are not only ware of what is needed but are a force for good in security. Make a member of the board accountable for information risk management and security matters and drive a security aware culture from the top, ensuring that information is valued and protected by all members of staff.

Invest time and effort into making every member of staff a security champion. It is false economy to not utilise every means at your disposal to protect organisational assets, and the staff are actually the biggest threat when it comes to information assets. But they could also be your best ally in rolling out really effective policy that people actually use and understand. If they know they are protecting their organisation/brand they will want to be a part of it.

Confidentiality, integrity and availability

Identify information assets, and objectively assess their importance and the criticality of the components of confidentiality, integrity and availability (CIA).

Make information assets brand assets. Put the brand assets at the heart of behaviour and culture, and put the information at the heart of the security strategy.

Risk-based approach

Adopt consistent, repeatable and realistic risk assessment processes, fed by intelligence-driven threat assessments. The risk and threat landscape evolves constantly. Effective risk mitigation can only come from regular threat and risk assessment.

Define and fully understand the organisation’s approach to risk appetite and risk tolerance, so that risks can be effectively and cost-effectively managed. It is about risk management and not risk avoidance. It is about doing "just enough". This approach can be uncomfortable, especially if used to using a Red Amber Green indicator, because we get subconsciously driven to make every risk green.

Select a range of policy, process, people, physical and technical controls used in combinations to provide the most effective levels of risk treatment, where the most severe risks to the most sensitive information assets are given the most protection (abandon the "one size fits all" approach) in order that risks can be managed, and for residual risk to be identified and owned by the organisation’s management.

Regularly review and revise security strategies to ensure emerging threats are identified, risk assessed and treatment options remain appropriate and proportionate. Free resources are available to get regular alerts that will help with this.

Security as a business process

Introduce robust, but not overly bureaucratic or onerous change and configuration management processes, that encapsulate changes to working practices and not just changes to information, communication and technology (ICT) components.

IT health checks

Invest in regular IT health checks (often referred to as penetration testing), but make sure this testing is appropriately targeted according to the risks (another reason for having we developed risk-based approach) – so test web-enabled services with dynamic and attractive back-end content more frequently.


Inform yourself and your staff about security threats and mitigations. Use open-source information sources on security matters to keep yourself and your staff informed. This can be available online as well as from the free-to-attend educational seminars that are often hosted at security events.

In time, we can hope that security will be included in many business events which will make it easier for business leaders to get information and guidance on security in the correct context, as a pan-business service. 

When it comes to staff, educate and encourage all colleagues to communicate with each other. Do not assume that, because you know of a new issue – for example a new phishing scam – that all your colleagues do too. It might even have missed the attention of your security manager, so encourage people to talk – even create a forum, maybe a space on an intranet for people to register security issues they have heard about, read about or experienced.

Duplication is better than omission. Never forget temporary staff or contractors too. They can frequently be left out of training, but are just as vulnerable to mistakes (or coercion) as any regular staff member.

Independent advice

Get your technology advice from someone who is not selling it to you. Take independent advice prior to investing in any new technologies. If your budget is limited you need to ensure every penny can demonstrate a return on investment (ROI).

This is something UK businesses are not generally good at. A recent BT survey indicated the UK lags behind many other countries, including the US, when it comes to ROI for security spend. Of course, it is not always obvious where the return comes, but investing in technology is expensive – so make sure you know precisely what you actually need.

Security strategy and policy frameworks

Consider becoming part of schemes such as the government’s Cyber Essentials Scheme and IASME. Longer-term, adopt the principles of standards such as ISO27001. This can be much less laborious and onerous than many people believe, and can deliver far more benefits than you may realise. For instance, there has been a dramatic uplift in the number of organisations demanding compliance or certification to information security standards, so there is a clear commercial benefit to using standards and certifications as well as tightening up the security posture of the whole organisation.

A small amount of investment in independent external audit/health checks can identify potential issues before they become security incidents and thereby provide significant amounts of assurance as well as being a valuable mechanism to drive continuous improvement.

Prepare for the worst

SMEs often think they are not targets and so actually make a nice initial way in for any attacker. They do not realise they frequently hold significant information that may be valuable or sensitive or provide a way in to a larger supply-chain partner.

The best approach is to assume that, if you have information assets, you will be a target – and so will your supply chain. You have accountability for your data and partners will probably hold you accountable for their connections and data too, if you share information or systems.

These are some practical things you can do to ensure that any budget allocated to security is well spent and clearly accounted for. A business's biggest asset and vulnerability is its people, so never underestimate or under-budget on training and awareness. They can be your best defence or your worst nightmare.

Put information at the heart of your strategy – treat it as a brand asset (which it is) and encourage all of your people to protect it.

Mike Gillespie is director of cyber research and security at The Security Institute.

Read more on Hackers and cybercrime prevention