SME Information Risk: 48 per cent suffered reputational damage already from lost data
According to a recent survey by Iron Mountain and PricewaterhouseCoopers LLP (PwC), in Europe, mid-sized businesses are placing themselves at unnecessary information security risk. The average index score for information risk maturity in this group was only 40.6 (a score out of 100), which sharply highlights the gap between what business is currently doing and what it is supposed to be doing.
Shockingly, 64 per cent of the mid-sized businesses surveyed had no information risk strategy in place, which was effectively monitored. Given that almost half of the businesses surveyed said they had already suffered reputational damage as a result of lost or misplaced data, this lack of information security appears cavalier at best. It could be your personal data or your organisation’s data being handled, managed or stored by these businesses.
According the Norwich Union Business Continuity survey (of which information security and reputational damage would be important elements) only eight per cent of businesses without a plan, which had suffered a serious incident, survived five-plus years, forty per cent never re-open after a serious incident. If the failings within mid-sized businesses are as widespread as the PwC data suggests this is very bad news for many businesses and could be the one area we start to see them over-index, sadly.
Hiding in plain sight
So what does a small or medium sized business do to protect itself, its own valuable data and potentially that of its customers and supply chain? Well, information security issues are not like the monster under the bed, despite what the popular press may have us believe. They don’t frequently leap out to shock you and grab your ankle. More frequently they hang around, waiting to be noticed by someone until it’s just too late and the worst has happened. No amount of finger crossing can spare you from its teeth by then – or the ICO’s teeth in this case. It is normally a series of failings or an extended period of time when risks have been ignored or misunderstood.
Being an SME can make an organisation more ‘fleet of foot’ than many larger businesses. The advantages of being reactive and able to quickly change course or take advantage of a sudden opportunity is a great flexibility to have. Potentially though, the risk side of things can be pushed to one side or ignored and then a lack of due diligence can mean that the new undertaking or direction is being done effectively ‘on the hoof’ and without the anchor of proper governance. This can also be reflected in the approach to procurement when the questions about the correct checks and balances for security are simply not being asked. This is possibly because there may not be a dedicated FTE for each role and employees wear several hats. It may be a naiveté about accountability and responsibility either from a legislative or industry requirement basis. If your organisation is lucky enough to have employed someone with an information security or data protection background, then this is less of an issue. That is assuming that the resource to have an FTE with these expert skills is available.
Generally this is not the case and whilst many businesses are more than familiar with the old outsource service of security, they do not necessarily make the connection to information and data.
“Sometimes I feel like the conversation itself is encrypted”
That is how it feels to have a conversation with a security guru. Within minutes the language becomes dense and acronym laden and the eyes of the non-security person may start to glaze or dart about like a frightened rabbit in car headlights.
The concept of information security is understandably daunting. Many businesses are put off by the language and apparent complexity. Everyone is put off by things they don’t understand – but that is what outsourcing is for. Part of the issue is that organisations, and those within them responsible for security of information, do not want to feel daft, the language and complex terminology they are coming up against makes them feel inadequate and sounds potentially expensive.
Although security has a long relationship with outsourcing, this has been largely around physical security and areas such as manned guarding. For some reason, outsourcing an organisation’s information security, data protection or business continuity appears to have passed many organisations by as a possibility.
When you think about it though, it makes perfect sense: areas that are complex and need expert help, that may not require an FTE or be too cost-sensitive to resource on an FTE basis – or may be required to move an organisation through an accreditation to assist with perhaps getting onto a government supply framework, or supplying the NHS for instance. Whilst every organisation needs to be security aware and educate their staff effectively, understanding the accountabilities, policies and processes are far more relevant to an SME than having an inside-out knowledge of security terminology and the dazzling amount of acronyms. Outsourcing is the natural choice.
One of the 64 per cent?
So the data security inertia may not solely come from a lack of interest or concern about what happens to client, customer or internal information. True, some organisations have a genuinely laissez-faire attitude, but many don’t and some of the lack of appropriate action can have come from fear, confusion and misinformation.
Given the ICO’s power to fine up to £500,000 for serious incidents, this could potentially see some of the unprepared 64 per cent close for good. It makes much more sense to find an expert outsource partner to translate and guide. Security is a business enabler. Once the security is in hand and under control, an organisation can go on with the business of growing in a secure environment for both the organisation and its partners. It allows organisations to tender for business that they may not normally have been in a position to go for. It brings likeminded businesses together, allowing them to partner and support each other knowing that they are on the same page and that their respective information assets are properly managed.
Outsourcing information security may be a newer area of outsourcing but as with all good outsourcing it is there to provide the expertise it would appear is lacking in the SME arena. Ensuring the best-quality, independent advice from an outsource partner could provide the competitive edge and reassurance an SME needs to realise its true potential.
Data sources: PWC Iron Mountain survey “Beyond cyber threats: Europe’s first information risk maturity index” and Norwich Union Business Continuity Survey
About the Author
Mike Gillespie is the founder and director of Advent IM Ltd (www.advent-im.co.uk), an independent holistic security consultancy. He is an experienced, security-cleared ISO 27001 Lead Auditor and CLAS Consultant. He provides bespoke services to organisations requiring information security, business continuity information governance, physical security, CLAS consultancy and associated best practice services such as risk management, policy design and implementation and training.