Information Security for Small and Medium-Sized Enterprises

Like it or not your business information is crucial to the performance of your business, whether that’s Intellectual Property, client information, financial transactions, marketing proposals, next year’s sales strategy or anything that makes your business tick, or indeed unique. Government, corporate and security experts alike now all agree that the safety of this information is under increasing levels of attack.

Today’s lack of information security awareness within Small and Medium-sized Enterprises (SME) is balanced against a tenacious, rapidly growing and in many cases state-sponsored threat to seize that information. Whether the motive is to cause direct damage – for example, corruption of your IT infrastructure, or theft of financial transaction information, or for indirect affect – to steal your business ideas and become an emergent and low-priced competitor. As SME security awareness stagnates, the ingenuity and tenacity of those threatening your business intensifies at a rapid rate.

The economy is showing few signs of improvement, meaning your business may not be at its best and improving information security may just be seen as another financial complication, but if Sir Iain Lobban, Director GCHQ’s advice[1] is anything to go by, not taking information security seriously is only going to cause negative financial implications. Sir Iain’s advice: “Don’t let cyber security become the agenda – put it on the agenda”.

As an SME you may be looking for relationships with larger organisations, attracted to you for your flexibility and efficiency. A good reputation could foster a long-term relationship with these organisations, or may result in further similar business contracts with others. These larger organisations will be looking for a degree of information security, but any information-sharing will create mutual vulnerabilities, for which an appropriate level of assurance is necessary. If you are unable to provide the appropriate level of information assurance they’re likely to engage your competitors.

Having well-practiced and appropriately governed security policies and procedures, a confined and suitably secure IT infrastructure and trust-worthy personnel to use and administer it will stand you head and shoulders above the competitors who lack these qualities.

A report released by the Home Affairs Select Committee on 30th July 2013 claimed that the UK is not winning the war on cyber crime. Keith Vaz, MP, said: “Our country is the number one target for [cyber] gangs in 25 countries.” Although the UK government’s attitude is to shift gear on the reaction to and penalties for crime, the ones left holding the can in the mean time are businesses like yours.

Detailed below are some relevant statistics that may or may not be familiar to you. An information security breach survey[2] undertaken in April 2012 found that within the preceding 12 months:

76% of small business had been subject to a security breach;

20% of small businesses had lost confidential data (80% of the breaches were serious);

£15k-£30k was the average cost of a small business’s worst security breach of the year;

75% of organisations where the security policy was poorly understood had staff-related breaches, and;

54% of small businesses didn’t have a programme for educating their staff about security risks.

Our Advice

Our advice is to implement an information security strategy. It can be a daunting prospect to the small or even medium-sized business owner and therefore it is often overlooked on a risk-management basis, i.e., the blinkered ‘I’ll put security on the agenda when we’ve banked our first £Million’ approach.

It needn’t be daunting and you don’t need a £M turnover to do it; the whole information security concept is proportionality and cost-efficiency balanced with your business needs. As you expand, your information banks will grow or your valuable information will increase in proportionate value, at which time you will need to tailor your already defined strategy.

How We Can Help

  • Review current security posture against best practice as defined by ISO/IEC 27001
  • Legal and regulatory compliance review
  • PCI-DSS review
  • Information risk governance and management arrangements
  • Assistance with policy writing
  • Certification services against ISO/IEC 27001
  • Training and mentoring
  • ISO/IEC 27001 Certified secure hosting and managed encryption services


The first thing you will need to consider is what types and amounts of data your organisation processes. Whether this is Personal Data, payment card data or sensitive business data. The security of this data is largely confined to the Confidentiality (the ability to prevent its access to those who do not need it), the Integrity (the ability to maintain the information’s accuracy and completeness), and the Availability (the ability to maintain accessibility and usability of an information asset on demand).

Risk Awareness – Although having considered the types and amounts of information, your assets and your business processes, you will now need to conduct a Risk Assessment. The risk assessment should incorporate the values of each of your information assets and processes, the vulnerabilities of your systems and a Threat Assessment (human malice or accident, and environmental hazards). Only when you have conducted an appropriate risk assessment should you consider implementing security controls to mitigate the assessed risks.

Governance – Information security starts in the Boardroom. It is the business owner or Managing Director’s responsibility to take accountability for information security within the business. She/he can nominate accountability and/ or responsibility for various information security functions, but the buck stops with them.

The owner/MD should put in place a formal security policy, which for a small business could be as simple as a signed statement to communicate their aims to safeguard sensitive business information and critical business systems from security threats. This security stature should be communicated to and adopted by all employees and business partners.

Legal and Regulatory Obligations – As the owner of a business you’ll be aware of a number of relevant business laws and regulations, such as the Companies Act, Health & Safety at Work, etc. You may have contractual commitments from your relationships with external organisations also. However, managers and employees responsible for handling sensitive data should also be aware that there are laws and regulations specifically covering these activities; a small selection is as follows:

Data Protection Act – The Data Protection Act places a duty on a business to comply with the Eight Principles of Data Protection. The Principles largely concern the fair and lawful acquisition, handling and use of Personal Data.

Computer Misuse Act – The Computer Misuse Act is legal obligation of a computer user to refrain from offences of attempted or actual penetration or subversion of computer systems.

PCI DSS – If you’re an organisation that processes credit or debit card data, online or offline, then you will need to demonstrate compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Layered Security Principles

In view of the risks to the Confidentiality, Integrity and Availability of your information assets and business processes you should implement an appropriate all-round security posture, which should involve the following four major security principles:

Physical -Site security, which includes consideration of some of the following factors: external fences, gated entrances, access control, CCTV, Intruder Detection Systems (IDS) / alarms, guards, dog patrols, wall/floor/ceiling construction (including party walls), door and window locking mechanisms, etc.

At one FTSE-listed financial institution the managing director himself opened the door to a stranger who, within 20 minutes of gaining entry to the building, had found a highly sensitive document outlining a half a billion pound merger lying on a desk.” Source: BBC News.

Technical – Firewalls, Intrusion Prevention/Detection Systems (IPS/IDS), Operating System hardening / lockdown, timely patching, encryption, anti-virus, back-up storage / restoration checks, protective monitoring, event log collection / audits, etc.

Sony Computer Entertainment Europe has been fined £250,000 following a “serious breach” of the Data Protection Act. The Information Commissioner’s Office (ICO) criticised the entertainment giant for not having up-to-date security software.” Source: BBC News.

Procedural – Education / awareness, documented security operating procedures (SyOPs) / Do’s & Don’ts, password selection, restrictions on account sharing, security routines, regular mustering of sensitive assets and documents, appropriate selection of security roles/responsibilities, confirmatory checking of security procedures amongst individual employees, etc.

Old desktop computers from a large government body were diverted from the intended disposal company. After the audit that detected this, procedures were changed and monitoring of third parties’ security stepped up.” Source: PWC.

Personnel – Security screening, vetting, UK residency, written and retraceable character/professional references, etc.

A small Scottish company suffered adverse media coverage after several thousand pounds were stolen by an employee. The root cause was inadequate staff vetting.” Source: PWC.

Of course specific examples mentioned here may or may not be necessary where appropriate all-round defence-in-depth security (a combination of the four major security principles) is applied.


Any organisation can work towards compliance or certification of ISO/IEC 27001.This is an internationally-recognised information security management standard. Certification and continued maintenance, which includes external auditing, provides information assurance not only to the implementing organisation, but also to those organisations they may want to engage with.

Again, PCI-DSS certification gives that extra degree of assurance and establishes an organisation above those without it.

A CESG Certified Professional (CCP) is an information assurance specialist with a measurable degree of government-recognised experience in advising government and industry clients on information security matters. Sound, experienced and qualified advice provides an insurmountable degree of assurance for any organisation implementing any level of information security strategy.

When purchasing security products; from physical security mechanisms (alarms, window/door locks, etc), to encryption products and Firewalls, etc, you may want to look for assurance against known standards that they provide the level of protection you require. Some recognised standards are Common Criteria (CC) and Commercial Product Assurance (CPA) for encryption products, and the British Kitemark for physical security mechanisms.

It’s also advisable, before an internet-facing IT network is put into action, that an appropriate IT Security Health Check or Penetration Test be conducted by a reputable assessor and any vulnerabilities highlighted by the test are fixed before deployment.

In summary

As an SME you will be aware that you have legal and regulatory obligations to protect your staff and your business from any assessed risks. That said, your obligations don’t stop at obvious financial or safety risks, you’ll regret a head-in-the-sand approach to wider information risks when your company hits the headlines for data losses, or where those data losses actually impinge on the continuity or growth of your business, such as loss of IPR, or the personal details of your most valued customer, or when you have a debilitating outage from which business recovery is impossible.

You’ll regret allowing these incidents to happen even more when you find that the realised risks would have become evident as a result of an appropriate technical risk assessment and that the measures required to manage them could have been applied efficiently.

[1] Sir Iain Lobban, Director GCHQ, “10 Steps to Cyber Security”.