SMEs are willing and able to embed good practice in their organisations as long as they have access to guidance that is appropriate to their size, complexity and the resources they have available, security experts say.

Research published in 2010 by the Information Commissioner’s Office (ICO) tended to confirm what many regard as conventional wisdom – that while large organisations are well served by standards such as the ISO series, SMEs struggle to find security standards that are geared to their needs.

“Very little guidance has been developed specifically for SMEs, despite the fact that they represent a major part of the UK information economy. The result is that there remains a low awareness of security requirements amongst SMEs, even in sectors that handle sensitive, personal information, such as the legal profession,” ICO concluded.

Those trying to remedy this include the National Computing Centre, with the launch this year of its IASME scheme. Among the first wave of companies to sign up was Hylton Motor Group, one of the largest independently owned car companies in the Midlands. IT manager Ravin Gautam offered his thoughts about the motivations for doing so, and Hylton’s experience of the IASME process.

“The company attributes a significant part of its success to maintaining traditional values such as respect for customers, suppliers and colleagues and by providing exceptional customer service. The motor trade, once known for unscrupulous traders is now cleaning up its act and building and maintaining customer confidence is vital its success,” said Gautam.

“We have thousands of customers and we hold personal information about each one of them, it is our duty to manage and safeguard that information properly. Data breaches could seriously impact the business leading to serious repercussions with both suppliers and customers,” he told SecurityVibes.

“Certification also provides reassurance to manufacturers and third parties that we take information security seriously, and that we are not the weak link in the dealer chain. Overall IASME is helping us support and grow our reputation, and that in itself is fundamental to the success of Hylton Motor Group,” he says.

“I was aware that going for ISO/IEC 27001 would be time-consuming, expensive, and hard to scale for a SME business such as ours. But then I got to hear about IASME…and I recognised the value in becoming certified compliant to this standard.

“The IASME framework, templates and self assessment approach supported by the assessor made it easier for us to document and improve our information assurance procedures and we now have improved security controls that are appropriate for a business our size,” Gautam says.

Other professional bodies are also making efforts to engage with SMEs. An example is the ISSA 5173 standard, notable because among the team responsible for its development was David Lacey, one of the authors of the original ICO report.

“ISSA-UK has received overwhelming positive feedback on the ISSA 5173 standard with uptake across the IT media being particularly good; reaching as far afield as South America and New Zealand. ISSA-UK estimates the standard currently has a readership of around 30,000 worldwide,” says Adrian Wright, ISSA director of Projects.

“Over the course of the next 12 months we aim to publish around 12 guidance documents to back up the standard. Based on the discussions of the ISSA 5173 workgroup and user feedback, the ISSA 5173 team has produced a development plan for supplementary guidance covering the main topical and most needed currently for SMEs; ranging from Cloud computing and countering e-Crime, to Business Continuity and Procurement,” Wright told SecurityVibes.

Did you like this article?

If yes, please click the LIKE button and share it with your friends!

Express yourself!

Start or join the discussion!

 Leave a comment