Most small and medium businesses and not for profit organisations (SME’s ) have the idea that they are too small to matter in the big world of the internet. They think they are too small to be a target and therefore do not consider their business data security a high priority. This can no longer be considered a security solution. Anaminity and invisibility is great but the advent of easily available hacking tools targeted at Microsoft system, make any and all SME organisations potential targets.
Any business will have some level of protection for their business data. To most SME’s this is not the case. They will have a firewall, most will have an anti-virus or end point protection application while others will have a disaster recovery or business continuity plan. Normally it is unmanaged and uncontrolled and the application of one facet has no bearing on the rest of the business systems. This creates security holes and areas where internal and external breaches can and often do occur.
The driving force for SME organisations as well as any organisation in business is usually profits and revenue, making enough money to pay a decent wage to all concerned while increasing market awareness and utilising every trick in the book to get more customers and clients.
Most SME’s are aware of the problems of cyber security and the impact that it can have on their business but very few have a regimented structure to protect their business.
So SME’s need a framework, a system that takes all components of business and organisational security and makes it manageable without having a huge financial and business impact. The framework has to be able to flex with the business environment but have the ability to add new and better systems without having to recreate the whole solution. It needs the ability to adapt to change but with the flexibility that each change will make it stronger.
An SME has the following areas already imbedded in their organisation. They use technology – firewall, end point protection, VPN and wireless, they have some level of management – auditing, reporting and training, they have some adaptability within the business structure – disaster recovery, culture and they have some level of compliance.
The problem with most of this is there is no coordination within the organisation. If you add in the push for Cloud and BYOD, organisations have additional problems, most of which is a lack of business management and oversight. Not that management is failing, the problem is that they have limited understanding of cyber security and how to improve the overall security envelope for their business while keeping up with change and improving the bottom line.
So let’s look at an example of a framework that does what I have been discussing.