ISSA draws up security guidance document for small-to-medium enterprises

News by Dan Raywood

A new report by the Information Systems Security Association (ISSA) is aiming to set out and consolidate the most up-to-date best practice information to make it easier and faster for small and medium enterprises (SMEs) owners to find and apply it.

A new report by the Information Systems Security Association (ISSA) is aiming to set out and consolidate the most up-to-date best practice information to make it easier and faster for small and medium enterprises (SMEs) owners to find and apply it.

With a draft report published and now available for review, it said that it sets out recommendations on information security controls for SMEs, claiming that there are already several sources of educational advice for SMEs, but none currently aims to set a standard for information security.

The document also claims not to be ‘a set of prescriptive guidance that must be implemented for security. In the highly individual world of the small business, there is no such thing'.

The ISSA said: “The standard sets forth a hierarchy of three categories of control, each detailing the basic principles of information security a micro, small or medium enterprise should pursue. Each principle is designed to minimise the administrative burden often associated with information security, focusing on the business processes that will best provide information security as opposed to bureaucracy.”

David Lacey, director of research at ISSA UK, said: “SMEs (250 employees or less) account for 99 per cent of the workforce in the UK, yet SMEs often regard security purchases as a ‘grudge purchase' or think that ‘information security does not apply to me'.

“The thinking behind this reflects the different attitudes between large corporate (long-term focus, driven by corporate policy and compliance) and small businesses (frugal spending, cash-flow and the need to win new customer business focus). Legislation such as the Data Protection Act applies equally to an SME as it does to large corporates in the UK. Any vendor offering payment via credit card also needs to think about PCI DSS compliance.

“Even if the SME owner is inclined to do something about information security, where do they go for up-to-date guidance? There is a lot of information out there, but it is spread across numerous websites; it is focused primarily at large corporates or government bodies where huge processes and large amounts of paperwork are the norm; and is often out of date and does not address current threats and security issues.”

Edy Almer, VP product management at Safend, said: “As the ISSA propose new security standards for SMEs, referencing that smaller organisations need to take the same approach to security as larger enterprises, it marks a significant step in recognising and addressing the security issues within smaller/medium-sized businesses.

“Organisations need to identify the problem areas surrounding information security and assign a person to be responsible for, and set policies to deal with, data protection. Businesses should ensure they are not sending sensitive data to third parties, always backing up their data, training all employees on the significance of a policy and putting technical controls in place to enforce the policy.

“Of course, the number of controls a smaller organisation has in place will differ to that of a larger organisation, but the principle remains the same; a lawyer's office with 25 employees is regulated by the Information Commissioner in much the same way as a 25,000 employee multinational finance company. The ISSA's initiative of making the fruit of its hard work widely available under a Creative Common License is admirable and should be commended and encouraged.”

Andrew Maguire, director of business security marketing at BitDefender, said: “It is not about the virus on the network, it is about the threat to your company. Yes a virus is a pain to clean up, but more of an impact is the data that is trying to leave your perimeter.

“There is a breaking point for businesses of 15-20 staff, fewer than that and they can use consumer software as they do not need the complexity. The problem is a lot of SMEs do not know that they need to be compliant and we find that security is an after-thought. They do not want to deal with security and we are seeing no separation between the SME and the home-worker.”

Hugo Harber, director of products and market solutions at Star, said: “These guidelines will be a useful resource for SMEs. New security risks emerge every day and even in these tough financial times, it is as important to ensure that there are adequate protections in place.

“We know that security is not just about having adequate protection in place; it's about understanding, mitigating and managing risk in the first place.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews