The biggest information security problem for small businesses is coping with the complexity of their systems when they have no-one with the specialist knowledge on how to protect the data, and maybe no IT specialist at all.
Louise Bennett, Chair of the Information Security Specialist Group at the Chartered Institute for IT (BCS), says it's a significant problem. There are sources of information on the web for dealing with most issues, and there's always the option of hiring a consultant, but any firm that wants to keep its sensitive data secure needs a basic level of understanding in-house.
There is evidence that small firms are suffering; in April the Department for Business and Skills (BIS) published the annual Information Security Breaches Survey, showing that 87% of small companies had suffered a breach in the previous year, with the median number rising from 11 to 17.
Bennett says she thinks it's realistic for a small firm to develop the understanding to place itself in the minority that are not affected.
Obvious questions
"It's perfectly reasonable to sit down and ask yourself the obvious questions," she says. "First, is my business going to be adversely affected if I lose my IT assets, or my internet goes down or whatever?
"For some businesses it may not cause a problem, but you're very likely to be using the internet to source goods and pay. There's reliable research that shows that for businesses in which information is an important part of their business, if their IT goes down for more than a week then a significant number will go out of business.
"I think every small business is capable doing that kind of risk assessment, asking how much does that mean for me, and showing that you do understand that part of it well enough, and if you don't that you get help."
The first step should be to assess the risks to the business if different types of data are lost, stolen or become inaccessible through IT faults. Bennett says the Institute of Directors provides helpful information on risk management and security for small businesses, and the Information Commissioner's Office provides guidance on data protection issues.
Straightforward technology
The technology side is pretty straightforward, even if a lot of small businesses don't pay sufficient attention.
"When you buy your computer system you should buy a good quality security product and keep it up to date," she says. "If you collect personal data or have any intellectual property to protect, you need to do some basic encryption, and that can be done reasonably easily and sensibly."
Sometimes the free versions of anti-virus or anti-spyware can do the job, but she says that for most purposes it is necessary to invest in higher level tools that offer more thorough protection.
The BCS recently issued tips on IT security in the form a free guide covering 10 areas: perimeter security; physical security; access authentication; privilege management; online trading; social networking; mobile computing and communications; vulnerable groups; compliance with confidentiality laws; and evidence gathering.
Bennett says that two of the stand outs reflect the points already made about risk assessments and security software, with the third being to ensure that any mobile access to a business is properly secured.
Escrow for e-business
There is another step relevant to e-business she would like to see that isn't often an option in the UK; using escrow accounts to ensure that both sides are good for a transaction.
"It isn't widely used in this country yet it's a very sensible thing to do, particularly when you're starting to have a relationship," she says. "To ensure that you receive that payment and all is well it's quite sensible to ask for it to be put into escrow."
She has suggested that BIS sets itself up as a trusted third party in sponsoring escrow agreements to help smaller firms deal with overseas customers more securely. At the moment it's an idea that seems some way from fruition.
There's also a question of how much money a company needs to spend to ensure it is safe. It is sometimes claimed that IT security is a cost that has to be balanced against the relevant risk.
Bennett says there's no clear relationship here, and that it's all very specific to the context – some firms operate in markets where their data is more attractive to cyber criminals. But she asserts that in most cases it's more about planning than spending.
"The vast majority of it comes down to planning, thinking things through, understanding from your business model where you've got risks," she says. "You don't necessarily have to spend a fortune on it, you do the sensible things.
"But if it's getting to an area that you don't understand then you need to spend some money to get help and advice."
