From personal experience – Information Security within SME’s varies drastically; from not a care in the world, to faking it, to making it. There is a great fear around Infosec within SME’s; and many misunderstandings around securing data, requirements set forth in contracts, and understanding whether they are actually met.
The ISO27000 series deals with this in a comprehensive manner, however it is:
- Expensive to implement
- Not mandatory for the majority of organisations.
- Difficult to understand .
The ISO27000 series will never fully be adopted en masse due to these key issues. It doesn’t translate down into a tangible set of guidelines for SME’s and requires specialists to understand and implement the policies that drive forward the organisations information security stance. These are resources the typical SME is unable to commit both in financial and human resources, as the day to day running of the business is more important. There are exceptions to this general rule when sensitive data is being handled however there tends to be confusion around what is actually needed.
Instead what is happening is more akin to the diagram below, The business environment is the sum of all parts; external and internal that drive the organisation and its stance. We’re specifically interested around the organisation and people, and the technology available to them. The organisation and people within it are driving the cultural change (or lack thereof) around the use of technology. Technology is changing in a number of ways – new creations, innovation and diffusion. This technological shift then changes the environment the organisation and people are situated in, this then drives a cultural change around the use of technology.
For a number of years there has been very little cultural change in terms of information security as the financial risks of losing data are void or limited in nature. Therefore the costs of doing nothing are less than the costs of implementing a culture around security; in smaller organisations IT and information security are often seen as a cost centre and often ignored until an external influence is put into place. Thankfully with GDPR being introduced and the constant revisions to the DPA / ICO we are starting to see the realisation from organisations that information security is an important (but not widely understood) concept. The lack of understanding both internally and externally who understand information security is still limiting wider adoption and we are years away from micro and small SME’s adopting best practice.