Last week at our chapter meeting, ISSA UK published a new standard specifically designed for Small and Medium Enterprises (SMEs): ISSA 5173. It is the result of a workgroup of 30 information security professionals in the ISSA.
A year ago, at March 2010’s ISSA AGM and chapter meeting, David Lacey, Director of Research at ISSA UK presented the need for action in the SME community regarding information security. This resonated with many members of the audience, and as a result, a workgroup was set up comprised of vendors, consultants, directors, researchers and chief security officers.
SMEs (typically defined as 250 employees or less) make up 99.9% of the UK businesses, according to BIS’s Small and Medium Enterprise Statistics for SMEs, published in October 2010, and account for 49% of the UK turnover. Too often, the need for information security within SMEs is regarded as a “grudge purchase” and too often is perceived as “someone else’s problem”. In the UK, the definition of a small and medium business for accounting purposes is defined in the Companies Act of 2006. A small company has “a turnover of not more than £6.5 million, a balance sheet total of not more than £3.26 million and not more than 50 employees.” A medium company has “a turnover of not more than £25.9 million, a balance sheet total of not more than £12.9 million”. These companies clearly have intellectual property of considerable worth, and there is a clear need for SMEs to take action: not just for the sake of compliance but also to safeguard their own assets. Information in the 21st century has considerable value, and the loss of it, as recent events have shown, can be very damaging for reputation. In the case of a small business, it may well put it out of business.
Part of the problem has been a general lack of innovation in the industry in recent times. In creating this draft standard, whilst the ISSA has looked at existing standards, the consensus was that a fresh approach was needed to deal with information security for SMEs. Clearly, the situation for SMEs is not getting any better: in fact, it’s getting worse. In the bi-annual Information Security and Breaches Survey (ISBS) published in 2010 by PWC, in 2008, 35% small businesses surveyed had suffered a malicious attack; this rose to 74% in 2010. Similarly, the average number and cost of a security breach in a small organisation rose from an average of 6 incidents with the worst one costing an of average £20,000 in 2008 to 11 incidents in 2010, with the worst one costing £55,000 on average.
The way that security has been pitched to the SME has been completely wrong in the past and fails to understand the difference both in the key drivers for, and the way a small business operates. Large corporates have huge resources at their disposal in terms of time, staff and expertise – both in IT and in law. Their board is driven by compliance because they are both aware of appropriate legislation and the need to comply with it. SMEs by contrast, unless operating within our own industry, are unlikely to be aware of key legislation or have the necessary IT expertise to act on it. Drowning a small business in mountains of paperwork and a complex risk assessment is not appropriate to all but the largest SMEs. The drum of “regulatory compliance” as the pitch has no resonance either to the small business owner. The irony of course is that compliance with key legislation is not optional, and that the Data Protection Act applies to all businesses, large and small. Similarly, any company offering payments via credit cards need to review their PCI DSS compliance.
Even if the SME owner is inclined to do something about information security, where do they go for up to date guidance? There is certainly a great deal of information available online, but it is spread across numerous websites; it is focused primarily at large corporates or government bodies where huge processes and large amounts of paperwork are the norm; and is often out of date and does not address current threats and security issues. The guidance too is often completely out of date – not by months but in some cases a whole decade. For example: is dial-back access security or cloud computing security considerations more appropriate for the security landscape in 2011?
In drafting the new standard the ISSA have looked closely at the status quo and decided that the only option was to create a new standard from scratch, specifically for the SME market. It has been written in language that is appropriate for the small business owner. Over the coming months we will be reviewing the feedback received after a consultation exercise. Moving forward the ISSA UK chapter sees the need to provide up to date guidance on the key issues affecting small businesses.