Introduction to Information Security for SMEs
Introduction to Information Security for SMEs
Oct 1, 2011
What is Information Security
Simply stated, information security is the discipline of protecting information resources.
Information resources are broadly defined to include:
•Information (business data);
•Computer hardware;
•Computer software;
•IT infrastructure (networks, data centers);
•People (who have knowledge of business data).
Information resources must be protected to ensure their:
•confidentiality: the guarantee that sensitive information remains private;
•integrity: the guarantee that information can’t be modified without permission or a record of modification;
•availability: the guarantee that information will be available when it needs to be available.
Misconceptions About Information Security
One problem in discussing information security with SMEs is that it’s widely misunderstood. Some popular misconceptions about information security include:
•Information security is an “IT thing”.
Not true. Information Security is an “information thing.” Information security certainly includes information that you have stored on your computer. But it also includes:
-printed or hand-written information (the papers you’ve been meaning to clean off of your desk);
-information stored on your PDA, smartphone, MP3 player, or USB key (including your client list, calendar, and address book);
-spoken information (the business conversations you have on your “land-line” telephone, cordless telephone, cellular telephone, Voice over IP (VoIP)—as well as business conversations you have in a local restaurant);
-information stored on remote computers around the world (including remote Email servers, online banking servers, online merchant servers, and online social network servers).
•Adequate information security is already included in products you buy.
Not necessarily true. The latin “caveat emptor” applies here: let the buyer beware. Your products may or may not have included security features. And security features don’t protect anything unless they’re turned on and properly configured. The same is true for third party services.
•There’s very little an SME can do about information security, so there’s no reason to try.
Definitely not true. In part, this misconception comes from the mistaken belief that information security problems can only be solved using expensive technology that’s unavailable to SMEs. There are many, many low-tech and no-tech solutions that are available for SMEs.
How Much Information Security is Enough?
The question, “How much information security is enough?” is a commonly asked by SME managers. It’s a difficult question to answer—because it’s the wrong question. The purpose of information security is to protect an organization from information- and IT-related risks. So the correct question is, “How much information risk is my business able to tolerate?”
This question is better because it’s possible to have a definitive answer for every organization. However, there is no single, definitive answer that’s correct for every organization. For example, banks have a very different risk tolerance than manufacturing companies. And as many SMEs are also startup companies, they often have a significantly higher risk tolerance. Let’s be clear: making a strategic business decision to accept a higher level of risk is not the same as simply ignoring a high level of risk.
Businesses are generally allowed to determine the level of risk they’re willing to tolerate. Businesses that make good risk decisions tend to succeed; businesses that make bad risk decisions tend to fail. There are situations where the government or other organizations impose limits on how much risk a business may accept, including:
•Data privacy. Most governments define minimum requirements for protecting data privacy. Failing to meet these minimum requirements may result in legal actions and fines.
•Credit cards. To ensure the secure processing of credit card payments, the Payment Card Industry Security Standards Council (PCI SSC) defined the Payment Card Industry Data Security Standard (PCI DSS). Failing to comply with PCI DSS may result in losing permission to process credit card payments—a serious risk for some businesses.
A Simple Strategy for Implementing Information Security
Many SMEs don’t have a good information security program. The problem is usually not one of awareness, but of strategy: where to start, and what to do first? Although large organizations can have the same problem, it can seem bigger for SMEs as they may not have dedicated IT or information security professionals on staff.
Fortunately, there’s a simple, 3-step strategy for implementing information security that most organizations can use:
1.The first step is to assess information risks. This step involves identifying and prioritizing all the risks to your businesses information resources (Internet hacking, stolen laptops, government regulations, etc.) Additionally, a risk treatment plan is created, which defines the information risks your business ranks as too high to tolerate.
2.The second step is to implement an information security program. The goal of this step is to reduce or eliminate the risks identified in the previous step. This is a very pragmatic way to implement information security: the focus is on business risks and not on the latest available technology.
3.The third step is to verify compliance, with both your information security program and with applicable laws and regulations. This step assures the business owners that information risks are being managed.
By using this simple, 3-step strategy, all SMEs can make measurable improvements to their information security—with a corresponding measurable reduction of their information risks. And reducing risks is good for business.
Future entries to the InfoSec for SMEs blog will explore these three steps in more detail. —Jim Herbeck
NOUVEL Blogs > InfoSec for SMEs