SMEs, Information Security, and the Bottom Line Richard Henson, University of Worcester Bruce Hallas, Marmalade Box Objectives of Session Accept that: latest survey statistics show that information assurance is not meeting expectations current perceptions of information security in most SMEs across Europe is part of the problem economic factors currently working against information risk management could be turned into drivers for good practice businesses in some parts of the world are taking information assurance very seriously; knock-on effects for competitiveness of European businesses… Information Security and Information Assurance Information Assurance is the practice of managing information-related risks also known as Information Risk Management but subtle differences relates closely to Information Security security tends to focus more on operational management aspects assurance looks at the management processes that drive security operations Effectiveness of Information Assurance PriceWaterhouseCoopers survey (2008): US, data breaches reported Germany, UK, data breaches reported PriceWaterhouseCoopers (2009): US, data breaches reported Germany, UK, data breaches reported Why not headline news? Problem been brewing for some time… Organisations certainly haven’t been doing nothing to combat risk… problem regarded as complex taking proper precautions expensive wrong people often targeted to roll out a solution Still not getting it right… and this is large organisations and public sector with all their available resources! The SME and Data Breaches May not even know if they’ve had a breach… no legal obligation to disclose in many countries so if they do find they’ve had a breach, just keep quiet? and fix it? This has been going on for years, and SMEs have been “getting away with it” Current situation: no publicity about data breaches… huge amount of publicity about the recession… forgiven for thinking there is nothing much for them to worry about regarding information security!?! Why don’t organisations do Information Assurance Properly? Complexity relates also to technology and organisational structure IT manager often expected to safeguard information systems usually not in a senior role IT not seen as of strategic importance Reality: “information security is everyone’s responsibility” Need to understand cash flow implications needs a senior management steer Benchmarking Good Information Assurance practice At one time, many “standards”: Quote from Tanenbaum… wait a year… ISO 27001 now generally accepted Research on ISO 27001 certificates awarded: within Europe outside Europe as the recession has “bitten” Research Findings see paper… quoted per capita… Within Europe UK high Austria, Czech Republic, Hungary high elsewhere low… Outside Europe mostly low Japan and Taiwan very high.. Why? ISO 27001 over time Certificates awarded from late 2008 on… no appreciable slow down recession affect not significant same trends across countries/continents big jumps Japan & Taiwan Austria, Hungary, Czech Republic little movement France Africa Australasia Policy and Reality Many survey methods use a low baseline for measuring organisational information assurance: existence of an information security policy Yet on its own such a document has no effect… To be following just “the spirit” of ISO27001 requires: procedures risk assessment education putting controls in place UK, West Midlands SMEs and ISO certification Small online survey conducted by Worcester University (early 2009) many showed little interest beyond acquiring an information security policy main driver for following ISO 27001 (in spirit if not in full certification) was business partners itself essentially a tick box exercise… 7% of sample had received such a request main drivers against certification were cost and lack of a perceived need Backed up BSI (2008) findings - all organisations 47% getting certified because of market pressures!! Conclusions Continuing upward trend in times of recession an encouraging trend Complex picture: although most businesses are SMEs, most obtaining ISO certification are not SMEs but many of those larger businesses obtaining ISO27001 will have SMEs in their supply chain… will seek to influence SME partners to also get certification What has most impact on Information Security choices for SMEs? Two areas identified and researched by UK Cybersecurity KTN special interest groups, supported by ESRC (Economic and Social Science Research Council): Human Factors Economics of Information Security (EIS) Human Factors Human Factors groups identified many organisational problems borne out in the high profile data breaches in government and large corporations Conclusion: Labelled as an IT problem actually a management problem organisations cannot improve information security with existing structure information security part of information management information management must be strategic and policy must apply to all employees Economics Hard to apply to the balance sheet a data breach might or might not happen… in absence of hard data, rejected in risk assessment Increased research since 2002: many good economic “drivers” have emerged to encourage good information security Human Factors or Economics? Human Factors groups not much direct interest to SMEs but will follow a change if seen as having a positive effect… e.g. “taking” information management away from IT and making it a management issue Economics group of immediate interest to SMEs… SMEs and Motivation to improve Information Security Large organisations slowly recognising that behaviour needs to change… Small organisations more focussed on survival and making a profit… more likely to be persuaded by economic arguments: positive: “improve reputation; get new customers” negative: “avoid costly data breaches, fines, etc.” Getting that Return on Investment SME must have value for money… EIS: basis for specifying a return on information security investment … can give a measure of the value of data risk assessment can predict the chance of a breach in next 5 years can predict the cost of that breach… Getting a return on hardware Another big issue for SMEs attracted by the “black box” solution to security often reject the “people” solution will seek to blame people when black box doesn’t deliver… EIS could support the providing of ROI data on black box security solutions Indirectly focus SMEs on human factors… Positive Motivators for SMEs Having an industry-standard information security management system means they are doing all they can to protect data… “Sell” this to: consumers worried that their data might be compromised, and increase sales supply chain partners who take security seriously, and increase sales partnerships Negative Motivators for SMEs The Law… so far, not coming down hard enough on data breaches except in Japan! Since 2005, any organisation that holds 5000 or more records subject to heavy penalties or even jail source: http://www.infoworld.com/d/security-central/japantightens-personal-data-protection-356 “may” tighten up in Europe (2012 law – late?) Banking Industry regulations… PCI DSS compliance for SMEs engaged in online trading mandatory WORLDWIDE from 1st October 2009 Negative Motivators for SMEs Operational Risk affect on ability to trade affect on ability to even function as a business research shows that after a downtime of just 10 days, a business will rarely recover… Reputational Risk with industry bodies… customers… with general public… Others? Knock-on infrastructure problems SMEs make up 95% of businesses in UK (similar figures elsewhere?) increasingly involved in on-line trading easy target for criminals recent UK experience with “chip-and-pin” Shift in PUBLIC perception recent surveys show people more sensitive to issues involving their data than previously Now, data loss a regular media story… Summary of Findings World has changed… Systems of support available (e.g. ISO27001 certification) but for a small business essential that SMEs have good information security to establish the trust necessary to do business digitally perceived as too expensive even in times of boom certainly too expensive in times of slowdown Comparison studies with some leading economies: most as bad as UK, if not worse some are significantly better Summary of Findings Need to spread evidence that company data is a valuable asset would justify spending more to protect it Urgent need to make SMEs more aware of the risks they are taking and consequences of a data breach…
© Copyright 2026 Paperzz