Download presentation
Presentation is loading. Please wait.
Published byMaximilian Holland Modified over 9 years ago
1
SMEs, and efforts to safeguard their Information Richard Henson Worcester Business School May 2009
2
“ A business IS its data ” SOME organisations take this message to heart… Why only some… ?
3
Size of Organisation is a Factor Large organisations WELL aware… –invested massively in their information/data and protecting it since “mainframe” days –a matter of organisational policy Smaller organisations not so aware –may invest sporadically in IT, in response to needs –may not have an information security policy –may have a policy…. but not connect this with business strategy
4
Organisational Culture - another factor Taking extremes: –“paranoid” organisation (blame culture) controlling fear of messing up shoot the messenger –“open door” organisation (learn culture) encourages dialogue employees free to express ideas listens to employee concerns
5
Senior Management & “IT Guys” Senior mgt have been know to believe IT sales talk above technical truths… Salesperson/expert may talk the same language & dress in same clothes as the SME boss –why should they believe the IT guy? Surprising that such perception persists to present day…
6
Whatever happened to the “hybrid manager”? Recognised that there was a problem back in 1990… –some large organisations wanted more IT people in management British Computer Society (BCS) coined the term “hybrid manager” –some universities offered “MSc in Hybrid Management –but with the early 1990s rise of “end-user computing” the idea was quietly forgotten…
7
Result: worse-case scenario Organisation has… –no policy on Information Security –no policy on Information Risk Expectation… –the IT guys should sort all that out… Blame… –we pay them to look after our data –if we get data leakage it’s their fault…
8
Why is the “IT guy should handle it” analysis wrong? In the days of “end-user computing”… –ALL employees handle data all potential data leakers… –and people screw up not just with data… but with everything else!!! How can their data handling problems be the IT guys fault???
9
How do small organisations cope with human ability to “mess up”? –Manage it!! people who don’t mess up don’t need (much) managing anyone can mess up with data at any time –even IT guys do it!! –part of not being a machine –intuition sometimes takes over… »press delete key then think… I shouldn’t have done that! –Requires policy and training could ask the IT guy to arrange that –IT guy probably wouldn’t know where to start… could bring in a consultant to work with the IT guy –better (depends on the consultant…)
10
A more enlightened Management approach to Information Security DON’T leave it to IT guys then blame them DON’T outsource then problem to a consultant DO… get personally involved –certainly in policy making –preferably in training OTHERWISE? –Inland Revenue data loss scenario possible… –26 million i.e. whole database
11
Management of Information Risk (continued) Nominate someone to take responsibility for the data... –the IT manager? develop policy & information security management system provide training on the above make sure everyone knows policy, understands & remembers their training, shows good attitude –is this realistic? policy has to be established at top level employees need direction: –from the top –not the IT manager
12
How & why did academics get involved in all this? PCs started to link together in the late 1980s –DANGER!!! IT managers expressed concerns –IT management academics wrote about it –rest of the academic world ignored them… benefiting personally from end-user computing With no restrictions… everyone started using IT –often with little training or understanding… –E-commerce bubble then grew, unsustainably… –and eventually burst!!!
13
The.com bust: IT-associated academics under fire?.com boom really all about greed… –getting more out of a mathematical model than its inputs Businesses blamed gurus and academics –many went bust –shockwaves across whole IT industry –most computer academics keeping well away from economics…
14
Someone did come “unto the breach”… Ross Anderson (Cambridge Uni) –Instead, he wrote a paper: “just because the IT security problem is hard, doesn’t mean we shouldn’t try to solve it” Bruce Schneier (a US IT practitioner & writer) picked up on this, and they became a double act –Anderson dared to ask, “do we spend too much on security” at an academic conference –Schneier replied (for the industry) “no we do not”, at the same conference –highly successful: clout & credibility –result: new academic field from nowhere, “Economics of Information Security”
15
The Growth of “Economics of Information Security” An academic success in recent years –annual conference since 2002 –research now receiving significant ESRC funding With respect to the esteemed Dr. Ross Anderson… (now a government adviser, the next Berners-Lee?) –the new paradigm would probably not have happened if not for that academic-practitioner partnership
16
Why “Economics of Information Security” (EIS)? Main inputs were from economics, computing and security/risk management –psychology and organisational management also involved Academics could now research matters relating to information security that directly focus on matters that the business are most interested in: efficient use of resources information risk management ROI reputation keeping legal
17
The development of EIS Economics of Information Security rapidly developed into four strands: –putting value onto corporate data –effects of a data breach on an organisation’s finances –costs to IT suppliers of developing secure software –education of senior management about Information Security Not much research to date about value of personal data –might be of considerable importance to SMEs –could well have 1000 customers or more…
18
Adjacent new field: “Human Factors in Information Security” Particular interest to psychologists… Research shows that large organisations following agreed guidelines still getting data breaches –NOT by outside hackers –NOT by bribed insiders/insider with a grudge/both –BUT by employees not following data handling procedures correctly! Hence, the need for employee education –but how to do it effectively…???
19
Further Adjustment of Management Approach required… Human factors research identifies other problems: –how policy is disseminated & implemented –organisational culture –“product” not “process” thinking –general lack of data handling education
20
Where DOES security management work well? In a totally secure organisation –totalitarian state/secretive govt department! –if data misused in any way “we will have to kill you” (or put you in prison) In a totally democratic organisation where education is paramount and people are trusted… –based on teamwork and people keeping each other in line
21
Where does data security fail? If organisation is part-democratic, part-autocratic –many public sector organisations? BCS Security forums been alerting the UK media for years… –no-one listened until HMRC lost 26m records –Now confirmed by government report “Systemic Failure” Much more research needs to be done on data handling in such organisations
22
Conclusions Many organisations have cultures that mitigate against good data security –management may not recognise the problem Solution? –motivate management to take action –depends on the organisation public sector: human factors business: economic factors public/private partnership? –more research urgently needed
23
Questions?
24
SMEs (my research focus) 95% of UK businesses 84% of UK GDP At a disadvantage as regards matters of IT –limited resources & expertise –dependent on others plenty of evidence bad advice… At an even bigger disadvantage as regards IT security…
25
SMEs: Why Safeguard? May be expensive! –recession: I need to cut my spending not increase it Typical Risk Assessment: –slim chance of a breach –if so, pay small fine and move on… –more important things to be concerned with than their data… (!) Culture of “my competitors don’t bother so why should I?” –popular myth; not strictly true –will eventually reach a “tipping point”
26
SME: Security problems solved by technology? “Technology and society” can be a management issue in itself –security technologies progressing rapidly… –perceived as easier to just buy the latest kit Senior Management suspicion of employees who might know more than they do… lack trust… won’t listen… etc. –may be especially true in a small organisation
27
Particular Problems for SMEs (1) Data Protection Legislation IS weak –organisation must nominate a “data controller” –on statute since 1984!! –first “high profile” conviction… in 2009 –even that was misreported… SME often does not see the need for an information security management system –expects the IT hardware to do the security…
28
Result: Safeguarding Attempts don’t work! Typical “failed” investments: –surveillance cameras –the latest “black box” firewall –the latest technological buzzword in a box –the latest antivirus solution –all of the above…
29
Particular Problems for SMEs (2) Outsourcing –external provider prepared to do both “process” (ISMS) and “product” (IT hardware) data managed and stored elsewhere –relatively expensive [but so are the IT guys (!)] –can’t be expected to understand the organisation’s business processes, and information security policy… –whose responsibility for the data? probably not the outsourcer… legal minefield what happens to data if outsourcer goes bust?
30
Particular Problems for SMEs (3) “The Cloud” –presented as some wonderful space where organisations can store their data safely –actually just part of the Internet… not much different to outsourcing instead of data kept on outsourcers servers… –same issues as outsourcing –but organisation’s data is now… on the Internet!!!
31
What can be done? SMEs need to be convinced: –that their organisations would collapse very quickly without data… –that a data breach would be very bad for: their reputation their bottom line Only then are they likely to seek compliance with guidelines and standards
32
One approach: “Value of Data” Public sector organisations not “for profit” Not interested in “the bottom line” for corporate or personal data But businesses certainly are… –makes sense to use economic factors as prime motivators for looking after their data… –in recent years, EIS researchers have produced a number of tools & methodologies for encouraging businesses to save money by keeping their data safe…
33
Existing EIS research Affect of data breach on: –share price (falls…) –availability (without data,10 days survival max.) –reputation (negative media headlines…) Mostly focused on corporate data… Much less about SMEs…
34
My PhD Research: part I Focus on SMEs MPhil: –study on how seriously they are currently taking information security –will inform more focused work on developing a model for SMEs to effectively secure their data at reasonable cost
35
My PhD Research: part I On-line questionnaire. Questions based on: –(i) developing an information security policy –(ii) basing their IS policy on their own business processes –(iii) sharing knowledge of the IS policy across the workforce –(iv) planning the implementation of that policy through procedures to be adopted at an operational level
36
My PhD Research: part I MPhil questions (continued) –(v) undergo risk assessment for 135 potential information security control to identify priorities –(vi) putting selected controls in place to operationalise those procedures –(vii) claiming ISO27001 & PCI DSS compliance as a result of actions (i) to (v) –(viii) having the controls subsequently and regularly audited and becoming ISO27001 accredited
37
Methodology Distributed to an otherwise random sample of West Midlands SMEs –anonymity assured –identified only by sector and no. of employees Dissemination of results initially to participants, and then publicly Detailed analysis of findings presented as MPhil report –provides the basis for further research papers –be used to fine tune the focus for the PhD study
38
Likely PhD study: “Cost Effective Information Risk Management” Ultimate goal: –create a model for SMEs wishing to put an information security policy into operation on a limited budget Intermediate goal: –risk assessment tool to cover all 135 controls identified by ISO27001 so SMEs not put off and overburdened before they start…
39
Risk Assessment Tool Intended specifically for SMEs –existing tools focus on larger organisations Will assess risk of each potential control breaking down by using two dimensions: –how likely? –how much will it cost if the control is leaky?
40
Developing the model… Once principles of cost-effectively risk assessment are understood Individual SMEs directed towards prioritising security controls to: –have most impact financially –ensure a reduction in the potential for data breaches Then a matter of choosing most cost-effective way of operationalising that control, so it can be easily audited as required
41
A Matter of National Importance SMEs a major source of wealth for UK Increasingly function in a global market Evidence that (e.g.) Asian SMEs are powering ahead with safeguarding information security systems –will get fewer data breaches –will enhance reputation –will get more customers, at the expense of UK, European, and US small businesses
42
Questions?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.