Why should an SME be concerned with Information security?

For many small and medium businesses and not for profit organisations (SME) the security of the information, systems and networks may not be a high priority within their business but for their clients, employees and suppliers it is very important.

Larger businesses, enterprises and Government Departments all over the world have been actively pursuing information security with significant resources including advanced technology, staff training and education and higher budgets for many years now.     It is therefore important that all SME’s look to securing the information under their control as well as the systems and their networks will allow.

Why should an SME be concerned with Information security?  

Your clients and customers have an expectation that their sensitive data will be respected and given adequate and appropriate protection.   In so saying the employees of a SME also have the expectation that their personal information will also be protected.

Like Government Departments, large organisations and enterprises, information for all businesses is required to be secured on site and in transit to protect the confidentiality, the integrity and the accessibility of that data.    Access to the data has to be tempered with the business requirements by allowing access to the information by people who require it to complete their business role.

So there is not only a cost in protecting your business data (Hardware, software and management controls including policy and procedures) but there is also a cost involved in not protecting an SME’s critical data.   Furthermore SME have a nasty tendency to reduce their risk management components through cost-avoidance by not putting adequate protective systems in place for sensitive business data (the old “It won’t happen to me mentality”).

A cost avoidance strategy needs to consider the costs that are not immediately obvious.     Just look at the notification rules in the US where a SME is required to notify all persons whose data has been exposed to a security breach (Read hacker, malicious code or employee releasing information); I suppose that we in Australia are little luckier.   Each notification (of customers who MIGHT HAVE BEEN EXPOSED) can cost up to $130.00 per customer / client times the size of your customer database (at a basic level $130 x 500 = $65,000).    This does not include the loss of trust and respect that an SME could lose but which is vital to an SME business.

The trouble is that a SME does not have the resources to implement a perfect information security program, but it is possible to implement a level of protection that will support the business but also protect your business information.   This means that because the SME has a security framework in place that the malicious code will not take hold or the hacker will try somewhere else that is not as hard to access.

There are a number of vital things that need to be done from an SME perspective to start to create a secure business environment, they are:

  • Protect vital business information from damage or loss from viruses, spyware and malware.
  • Protect your internet connection.
  • Activate firewalls on all computers, servers, routers and all business systems.
  • Patch all operating systems and applications and upgrade to the newest version as soon as it is practicable.
  • Backup all critical business information preferably to an offsite location.
  • Control Physical access to the premises and the servers.
  • Secure wireless access points and VPN user access.
  • Train and educate your staff in security practices.
  • Use individual user accounts for all staff for access to the computers as well as all applications that require them.
  • Limit access to data to the level that the user requires.

So the next question is how do you do that?    One of the best ways is education.   Training your staff to recognise the possible dangers that may come to them.

  • Have your staff keep an eye out for emails, Instant messages and social media requesting sensitive information or with web links in them and defining what they should do about it.
  • Keep your staff informed and watch out for pop ups and other hacker tricks.
  • Make sure that not only business computers are secure but also home computers when it comes to banking and online processes.
  • Make sure that you are checking references when hiring new people.
  • Make sure staff understands the dangers of surfing and downloading software from dubious sites.
  • Have a security expert available who you can contact and who can train and educate your staff.
  • Get rid of old computers, servers, CDs, DVDs, USB storage and anything else that may have electronic data on it safely, securely and if possible greenly.
  • Beware of social engineering!

Finally, if you implement the best practices described on the internet and in this email you will help your SME business and also enable you to leverage the security as a marketing product in which the safety and security of your clients information is of the highest priority to your business.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.