Small and medium size enterprises, often referred to as SMEs, make up the majority of the workforce in Iceland. The Icelandic SME owners and employees are well aware of the need to be resourceful when dealing with a challenging environment. Today SMEs around the world are affected more and more by the rapid changes in the IT environment and IT security awareness, as the volume and significance of digital data continues to increase. Although the headlines often focus on data theft, hacking of sensitive systems and other adverse events of the large companies, the SMEs are feeling just as vulnerable to such attacks. Perhaps there is a modicum of safety in being small under the presumption that hackers and other cyber-criminals don’t bother with smaller companies, but that isn’t true. The security challenges are much the same no matter the size of the organization; however, SMEs are often very limited on the available investment for proper security prevention.
The most common IT risks facing SMEs can be categorized into three parts.
SMEs may appear less susceptible to cyberattacks, but there are many risks, such as virus infections that cripple the network and malware designed to look for vulnerabilities in websites and LAN’s. When a SME is attacked, more often than not, cyber criminals are using them as a platform to attack other companies, perhaps clients of the SME. The personnel of SMEs pose higher risks associated with internal data being compromised then personnel at larger enterprises due to more resources invested in monitoring breaches in multiple levels of data access and security.
It is also worth noting that SME’s have exactly the same legal compliance risks as do the big players. They are all equally required to comply with local and federal laws and regulations for privacy of personal data, IT data security, and retention or disposal of records, for example. Resources to appropriately and effectively manage these obligatory compliance requirements are often minimal for SMEs compared to the larger companies, who have dedicated staff members to exclusively monitor and mitigate these compliance risks.
If you fall into the SME categorization what can you do in order to properly address these issues with limited resources?
Here are some ideas we recommend to you for accomplishing this successfully:
1. Evaluate your situation objectively
We take our cars to the scheduled maintenance to ensure the basic functions are operating as expected. You should do a review of the general status of our IT systems and data security every year as a best practice. If sufficient expertise to perform these annual reviews isn’t available in your company or if you simply want an independent review, seek outside assistance from professionals in the field.
2. Clear and simple SOP’s
Personnel at smaller organizations are often tasked with handling multiple rolls or duties and often need simple and clear standard operating procedures in order to handle the requirements of the job. Owners and CEOs of the companies would be well served to write up an employee handbook outlining the SOP’s for their operations. The employee handbook doesn’t have to be complicated to be effective, but clearly stating what is expected and approved usage of company assets (SOP), such as not using the company email for personal matters will go a long way in reducing risks for IT operations. Similarly risks that stem from employees installing programs on the company computers can easily be avoided by initiating simple IT rules prohibiting such activities, as in implementing controls that limit administrator access privileges. The rules just have to be effective, simple and clearly communicated to the employees.
3. Work together to create a risk-aware culture
No chain is stronger than its weakest link and it’s important to educate and involve the staff regularly on the key elements of IT security. Focusing on items such as the security of data, how the data is collected, and the connection to other data sources for one month out of the year will expand everyone’s knowledge and understanding of the topic. Choosing another topic for the next month will continue to evolve the cycle of knowledge within the organization – small, medium, and large. SMEs need to make IT security a regular feature in staff meetings and to provide visual aid material for the meetings to reinforce the takeaways on the IT security topics. Seminars, conferences or even partnering with a consultancy are reliable resources for the staff to increase knowledge about IT security. The main objective is to involve as many people as possible within the organization to establish a culture of awareness for IT security and the associated risks.
4. Delete superfluous data and outsource operations
Many SMEs leave themselves vulnerable by not deleting data they don’t need to save anymore. Cyber-criminals can steal or misuse old data, so SMEs should minimize information security risks associated with storing data by deleting superfluous data regularly. Another great way to significantly enhance IT operations and security is to outsource hardware and software resources and only maintain the bare minimum of user hardware on site to be monitored by your organization.
5. Proven recipe for success
A proven, simple and effective template for success is learning and using best practices that have been discovered and developed over the years. The International Standards produced and available from the International Organization for Standardization (ISO) are the proven recipe for success. The ISO International Standards are just as appropriate for SMEs the same as the standards are for larger companies, because they address the limitations of size with regards to complexity and resources. The best-known standard for IT security is the ISO/IEC 27001:2013, which provides requirements and best practice controls for an information security management system (ISMS). SMEs can and should use this standard to aid them in navigating through the complex issues of IT security. This standard is very affordable for SMEs, but if need be, your organization can also get expert help in understanding the requirements and implementing the best practices of the standard.
Stiki – Information Security is creator of Risk Management Studio, the integrated risk management and business continuity software. RM Studio’s toolkit provides an effective and efficient step-by-step approach to cybersecurity risk management derived from the ISO 27005 and ISO 31000. We pride ourselves on producing an excellent solution that provides our users the confidence and know-how to produce the expected business decision results for their organizations. Working with hundreds of SMEs over the years keeps us connected to the unique needs these organizations require and helps RM Studio evolve into a better product time and time again.