Compliance is not information security

Peter Bassill
Bassill: 'If you haven't got it, you can't lose it.'

Small and midsized businesses often make a big mistake in assuming that compliance with data protection regulations provides the basis of information security, according to a specialist who serves a number of companies in the sector.

Peter Bassill of Hedgehog Security raised the point in a presentation on information security for SMBs at the Infosecurity show in London, coming soon after the 2013 Information Security Breaches Survey highlighted the high level of attacks suffered by small firms. He said that they tend to confuse their legal obligations to protect data with protecting themselves.

It's part of a wider lack of understanding that it is undermining the information security of many SMBs.

One of Bassill's main points of his presentation was that they often get the relationship between compliance and security the wrong way around.

"Compliance is not security," Bassill said. "If you can get them (companies) secure then compliance should come along by itself."

Vendor fault

Speaking afterwards to TRPro, he said: "There is a perception that compliance amounts to security, and I have to say it's sometimes the vendor's fault. More often than not it's driven by accidental wording from vendors."

Getting over it requires education about the realities of information security, and making it a core business rather than IT issue.

It was one of a number of failings that he said are creating serious risks to a lot of SMBs. They include a blind faith in anti-virus software, even though many small firms use a free version aimed at consumers and many fail to ensure it is updated.

They believe their internet service provider will ensure they are safe from attack, or even worse their web designer. Some believe they won't get hacked because they are too small to be worth the effort, with no idea that 81% of attack traffic on the internet is automatically generated without a human choosing the target.

Some are careless about updates of applications and operating systems; some use cloud storage systems designed for consumers rather than business; many have no idea where information they send to the cloud is held; and it's common that companies set weak passwords that are rarely or never changed. It's alarming how often "1234" provides access to a system.


As for safeguards, he outlined a number approaches that can help companies to make their information more secure, all of which are familiar to people in the industry but are often never thought of within SMBs.

There's role based access, so that only people who really need to get into a store of information can do so. This can keep out not just the external hackers, but members of staff who may have good intentions but can sometimes create weaknesses in security. It can be reinforced by educating and training staff, so they're aware of what creates a risk and what processes make it all secure.

Firms can strengthen physical security by ensuring IT equipment is locked when not in use, and looking at how they work within their office space, and their policies on mobile working.

They should regularly back up data, but also ensure that their backup arrangements are regularly tested; and if they suffer from a security incident get the specialists in to identify the weaknesses and repair the damage quickly.

More generally, they should plan for information security, taking it as an essential part of the business.

Need help?

It raises the question of whether the average smaller firm is up to handling this internally or needs to get the external help. Even if they have full time IT staff, they are often fully occupied with routine tasks, which may involve security processes but leaves them short of time planning.

In addition, the business leaders spend their time thinking about markets and cash flows; in most cases information security only enters their thoughts when they suffer a breach.

Bassil says: "I'd love SMBs to be able to do it themselves, and we're trying to run training sessions for business leaders so they can understand what it takes to be secure. As an industry we can help, but it does cost money to be secure."

But he does have three main recommendations for SMBs.

"Without doubt the number one is to improve your passwords and change them regularly. It's really easy to put together a simple way of having complex passwords.

"Number two is that you can buy vulnerability scanning very cheaply, or even buy free tools. You can see if you need to patch the machines and you can do it yourself. It takes time but not money.

"Number three is sit down and look at the business and what information you have. Is it enough or too much? If it's too much reduce it. If you haven't got it you can't lose it."