Okay, they’re not as powerful as “KEEP CALM and CARRY ON!”, but the point is being made: “The ‘Cyber Streetwise’ campaign aims to change the way people view online safety and provide the public and businesses with the skills and knowledge they need to take control of their cyber security”.
Further proof (if proof were needed) that Information Security (as we used to say in the Jurassic Era), is important to every size of business, including SMEs, microenterprises, and people working from home classed as self-employed, and ‘members of the public’ (who often have better defences).
What is an ‘SME’? And a ‘Micro-business’ (if such a thing exists).
Now, facts for the lovers of official statistics (stay awake the rest of you!):
The European Union (EU) defines micro-enterprises as those that meet 2 of the following 3 criteria and have not failed to do so for at least 10 years:
1. fewer than 10 employees
2. balance sheet total below EUR 2 million
3. turnover below EUR 2 million.
Over 99% of the businesses in the UK are small or medium sized businesses, employing less than 250 people.
4.6 million or 96% of all businesses were micro-businesses – employing 0-9 people. That’s a lot of businesses, and a lot of cyber security weak-spots. No criticism of enterprising people here, but the simple truth is that not everybody running a growing enterprise is quite as conscientious as they should be. If you are wondering what your organisational stance is, ask yourself a straightforward, no-nonsense question: ‘Should I already know?’ – because you should. It’s your future that’s at stake, and there are risks.
What is Cyber-Resilience? – And do you have it?
That’s why all businesses need ‘cyber security’ and a business continuity plan to keep the enterprise delivering to its customers rather than falling flat on its face. Because cyber-crime can lead to disaster, and you need a plan. One to recover your IT (DR Plan), and another to maintain ‘Business as usual’. The approach is really one of ‘cyber-resilience’, a concept that you will hear a great deal more about in the months and years to come.
Remember: you heard it here first!
ISMS is for every size of business – including yours!
Something else that you might consider as a determined small business is to start your very own Information Security Management System, or ISMS.
According to some people in Government and big business (not to mention quite a few IT security consultants, etc), this task is simply too much for you to cope with. After all, you are only running a small and quite possibly ‘micro’ enterprise that has probably never experienced a ‘management system’, and therefore the whole concept would be overkill in your world. At least, that’s the current assumption. One that I think is wrong.
The ISO (we will come to them later) has defined a ‘management system’ as a set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives.
If you run your own business (I was self-employed for a number of years, so I sympathise), you might be forgiven for thinking that you already have a management system and that you can use to ‘establish policies and objectives and processes to achieve those objectives’. So if you are not put off by the jargon, please join me on a journey through time and space to learn about this topic. After all, the threats from cyber-crime affect you, just as they do big business. Having your own management system can not only help you to improve cyber-resilience but show the doubters in the large organisations that good management practice is not a concept purely confined to global enterprise. In fact, the willingness to engage with the standards-based approach of FTSE 250 companies and the public sector can be a way of getting their attention and gaining their trust in business.
We know a number of SME companies that have won contracts as a direct result of being ISO27001 compliant – their proof being a UKAS-accredited certificate issued by a certification body. Perhaps you could be next?
Why an ISMS is important
Risks associated with an organisation’s information assets need to be addressed. Achieving information security requires the management of risk, and encompasses risks from physical, human and technology related threats associated with all forms of information within or used by the organisation.
The adoption of an ISMS is expected to be a strategic decision for an organisation and it is necessary that this decision is seamlessly integrated, scaled and updated in accordance with the needs of the organisation.
The design and implementation of an organisation’s ISMS is influenced by the needs and objectives of the organisation, security requirements, the business processes employed and the size and structure of the organisation. The design and operation of an ISMS needs to reflect the interests and information security requirements of all of the organisation’s stakeholders including customers, suppliers, business partners, shareholders and other relevant third parties.
In an interconnected world, information and related processes, systems, and networks constitute critical business assets. Organisations and their information systems and networks face security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire and flood. Damage to information systems and networks caused by malicious code, computer hacking, and denial of service attacks have become more common, more ambitious, and increasingly sophisticated.
Is an ISMS just something that the Government think is a good idea? – What does the private sector think?
An ISMS is important to both public and private sector businesses. In any industry, an ISMS is an enabler that supports e-business and is essential for risk management activities. The interconnection of public and private networks and the sharing of information assets increases the difficulty of controlling access to and handling of information. In addition, the distribution of mobile storage devices containing information assets can weaken the effectiveness of traditional controls. When organisations adopt the ISMS family of standards the ability to apply consistent and mutually-recognizable information security principles can be demonstrated to business partners and other interested parties.
Information security is not always taken into account in the design and development of information systems. Further, information security is often thought of as being a technical solution. However, the information security that can be achieved through technical means is limited, and may be ineffective without being supported by appropriate management and procedures within the context of an ISMS.
Integrating security into a functionally complete information system could be difficult and costly.
An ISMS involves identifying which controls are in place and requires careful planning and attention to detail. As an example, access controls, which may be technical (logical), physical, administrative (managerial) or a combination, provide a means to ensure that access to information assets is authorized and restricted based on the business and information security requirements.
What does an ‘ISMS’ deliver in terms of business benefits? Can you make money from it?
The ISO, or International Organization for Standardization, believes that the successful adoption of an ISMS is important to protect information assets allowing an organisation to:
a) achieve greater assurance that its information assets are adequately protected against threats on a continual basis;
b) maintain a structured and comprehensive framework for identifying and assessing information security risks, selecting and applying applicable controls, and measuring and improving their effectiveness;
c) continually improve its control environment;
d) effectively achieve legal and regulatory compliance.
So, yes, you can make money by being cyber-resilient with your own ISMS.