SMBs given information security guidance

A new report by the Information Systems Security Association outlined information to make it easier for small to medium business owners to protect themselves.

The draft report recommended information security controls, claiming that there are sources of advice but none aimed to set a standard for information security.

The document also claimed not to be a "set of prescriptive guidance that must be implemented for security".

"In the highly individual world of the small business, there is no such thing."

“The standard sets forth a hierarchy of three categories of control, each detailing the basic principles of information security a micro, small or medium enterprise should pursue," the association wrote.

"Each principle is designed to minimise the administrative burden often associated with information security, focusing on the business processes that will best provide information security as opposed to bureaucracy.”

David Lacey, the association's director of research said organisations with fewer than 250 workers account for nearly all of Britain's workforce "yet SMEs often regard security as a grudge purchase or think that information security does not apply to me".

“The thinking behind this reflects the different attitudes between large corporate and small businesses," he said.

"Any [merchant] offering payment via credit card also needs to think about PCI DSS compliance."

He said there was a lot of information security guidance but it was spread around.

“It is focused at corporates or government where huge processes and large amounts of paperwork are the norm; and is often out of date and does not address current threats and security issues.”

Edy Almer, VP product management at Safend, said smaller organisations needed to take the same approach to security as larger enterprises.

"It marks a significant step in recognising and addressing the security issues within smaller [to] medium-sized businesses," Almer said.

“Organisations need to identify the problem areas surrounding information security and assign a person to be responsible for, and set policies to deal with, data protection.

"Businesses should ensure they are not sending sensitive data to third parties, always backing up their data, training all employees on the significance of a policy and putting technical controls in place to enforce the policy."

Almer said many British Government laws applied to smaller organisations as much as they did to enterprises. 

“The [association's] initiative of making the fruit of its hard work widely available under a Creative Common Licence is admirable and should be commended and encouraged.”

Andrew Maguire, director of business security marketing at BitDefender, said SMBs needed to think about protecting their secrets.

"Yes a virus is a pain to clean up, but more of an impact is the data that is trying to leave your perimeter," Maguire said.

“There is a breaking point for businesses of 15-20 staff, fewer than that and they can use consumer software as they do not need the complexity. The problem is a lot of SMEs do not know that they need to be compliant and we find that security is an after-thought.

"They do not want to deal with security and we are seeing no separation between the SME and the home-worker.”

This article originally appeared at scmagazineuk.com