Security compliance challenges for SMEs

Security compliance is challenging enough for big organisations. Small and medium-sized enterprises (SME), however, faceexactly the same security threats with smaller budgets and without specialist resources. In many SMEs there is a significant gap in understanding of the scale of the cyber threat that organisations face. In audits and security reviews carried out by Construct IS on SMEs, it is very common to find that there are no recorded security incidents. This is typically because there are no dedicated resources available to provide clarity and focus on what needs to be monitored and managed.

The situation is exacerbated by a continually changing landscape, not the least of which is the increasing abundance of cloud services and unmanaged mobile devices. No organisation can be completely safe but SMEs can take some simple important steps to increase protection including, acquiring a better understanding of external threats to their network and web sites. Also, by ensuring they are secured against known vulnerabilities by undertaking penetration testing and regularly updating security patches.

Possibly the biggest threat to SMEs is the understandable need to get things done with a budget and timescales that preclude proper IT and Security governance. The pressure to get new IT services live as quickly as possible proves to be an often repeated, self-imposed, threat as the security holes do not necessarily get closed later. Focus just moves on to the next business-functionality-driven project.

SME Culture and Security Awareness

The key point that SMEs need to understand is that security is not solely an IT issue and this concept needs to be embraced across the organisation. Everyone in the organisatio needs a level of information security awareness from ensuring doors and filing cabinets are locked to not leaving laptops in taxis or having insecure passwords.  Most security incidents are not, in fact, technical in nature so you can't rely on technical controls alone.

Compliance issues

SMEs can easily become overwhelmed by the need to comply with an increasing number of regulatory standards around security. If they are not directly subject to regulation, then their larger customers probably will be. Financial institutions subject to FCA rule, for example, will routinely audit their key suppliers for security and business continuity compliance.  When your biggest customer demands that you are secure, what choice do you have. For those SMEs who accept credit card payments, PCI-DSS can be a particularly expensive headache.

Risks and Benefits of Mobility Devices

Use of personal smart phones and mobile devices provide huge benefit to organisations in increased workforce mobility and productivity.  The vast range of devices, with differing security capabilities, creates a potential security nightmare. Carefully considered, practical, policy and technical controls are vital. If you take security too far, you get none of the benefits of mobile devices and the users will find ways to bypass the security tools anyway.

Taking Responsibility for Security

A typical scenario for an SME is where the senior executive level only starts to take responsibility for information security after a significant security breach has happened. This reactive approach to the problem can be short lived and is often more expensive than taking a proactive approach to security management.

Sometimes the organisation’s leadership doesn't fully understand the issue. No matter what it costs, everyone needs to understand the full extent of the risks are so they can decide if the cost of mitigating them is justifiable. Information security management can be complex, you can't just bury your head in the sand.

The objectives should be:-
- Decide what information assets you have and why you need to protect it
- Follow a pragmatic approach and define the issues and answers plain English.
- Implement cost effective controls with business justification and treat information security management as a business enabler.
- Gradually spend less, rather than more, as your information security management system matures.