InfoSec 2006: SMBs the poor relation for info security – DTI
Small businesses are the poor relation when it comes to information security, according to the latest DTI survey on breaches within UK PLC.
Chris Potter, Information Security Assurance Partner at PricewaterhouseCoopers LLP, which ran the survey, described it as ‘a tale of two cities’.
The figures show small businesses are investing less, suffering more incidences and are less aware than their large-scale counterparts.
A clear picture has emerged of how getting to grips with the issue makes real economic sense. The survey shows that the overall the number of companies affected by a security incident in 2006 has dropped more in the last two years than for small businesses alone.
However, in terms of absolute numbers of incidents the figure has risen overall by 50 per cent, while for larger businesses that figure has dropped by 30 per cent. But that still translates as an average of eight a year for SMBs and 50 a year for large businesses. And the average cost of each incident – usually related to business disruption rather than cash losses – has risen 20 per cent overall but dropped 10 per cent for large businesses.
‘One of the big challenges has been how to measure the return on investing in security,’ said Potter. ‘How do you measure the effect of incidents that haven’t happened?’
Large businesses are clearly better protected against security breaches, and better able to deal with any such incidences than they have ever been before, while smaller companies are suffering more breaches and more economic damage.
‘Overall investment is up some four to five per cent on security, but this masks a small body that is doing very little,’ said Potter. ‘Two-fifths of SMBs spend one per cent or less on security.’
Of those, a good proportion don’t bother to run risk assessments, so are unaware of how they are affected by the issue. The survey showed that when a company ran a risk assessment it dedicated an average of 7 per cent of its IT budget to security, while those that didn’t spent just 4 per cent on average.
Yet the figures indicate that it is small businesses that are the ones investing less and suffering for it.
One area they might be forgiven for sidestepping is in-house security experts. Potter said that ‘almost all’ SMBs lacked this and tended to hire in third-party help. However, he said that raised the issue of the trustworthiness of such self-styled experts and welcomed the creation of the newly appointed Institute of Information Security Professionals (IISP), which should ensure accredited members are suitably qualified.
There are other initiatives that can help guarantee the effectiveness of security efforts already in existence. Yet few small businesses were aware of standards such as BSI 7799 and ISO 27001 that will make choosing security solutions that much easier.
Alun Michael, MP, Minister of State for Industry and the Regions, said that ‘Low level of awareness [of these standards] is one of the most worrying problems.’