Walpole Partnership is delighted to announce the renewal of their ISO 27001 Information Security Management System Certificate for a further year in conjunction with ISO Quality Services Ltd. Data security is at the very heart of everything that we do at Walpole Partnership, but why is it so important for us and why should it be at the top of the agenda for other SMEs? And just what is the ISO 27001 Information Security Management System all about? Taking the guest author spot on our blog this month is Jill Davis from ISO Quality Services Ltd who will share all.
The Importance of Cyber Security for SMEs
When it comes to information security, its tempting to think thats its just a problem for the guys in IT.
However, your IT security is only as good as its weakest link. Your people.
Criminals rely on human frailty to gain access to your systems, your data and/or your money. Your employees can fall for phishing scams: accidentally paying a fraudulent invoice, clicking on a link which takes them to a website infected with a virus or opening an attachment which puts you at risk of a ransom situation. Poor password hygiene, such as writing down passwords or having easy-to-guess passwords, also increases your risks.
If you’re affected, the price you pay can be more than financial. Your reputation can be damaged forever and your business may never recover.
Are SMEs affected or is this just a problem for bigger businesses?
You’d be forgiven for thinking that SMEs arent affected, after all, the press coverage relating to cyber breaches in the last few years has generally focussed on corporates. However, although incidents at SMEs may not make the news as often, the stats are certainly sobering for the average small business owner:
The Cyber Security Breaches Survey 2019 found that 31% of micro and small businesses had identified breaches or attacks. Among this 31%:
- 19% lost files or network access
- 10% had their website slowed or taken down
- 9% had software or systems corrupted or damaged
The average (mean) annual cost for those that lost data or assets after breaches was 3,650, a high price to pay for small businesses.
Bigger businesses have even more to lose. For the same period, the number of medium firms identifying a breach or attack was almost twice as high at 60%. The average (mean) annual cost for a medium sized firm that lost data or assets after breaches was a painful 9,270, 39% higher than for micro and small businesses, and a higher proportion of medium businesses were disrupted by losing files, disrupted network access and website issues.
Other sources report much higher figures. As reported in Info Security Magazine, insurance specialists Gallagher surveyed 1,120 senior decisionmakers from UK firms with up to 250 employees and found that 1.4 million businesses were hit by major attacks last year. Their research found that the average cost of attacks to an affected business was 6,400 but nearly one in 10 were forced to pay out over 20,000.
Some SMEs can weather the costs of an attack, perhaps by delaying plans to recruit or shelving investment in new equipment, but others simply fold under the pressure. With 23% of SMEs being unable to survive for a month if a crisis meant they were unabletotrade, Gallagher estimates that 57,000 UK SMEs could be at risk of collapse this year alone if attacked.
Why are my people a cyber risk?
Cyber criminals are increasingly sophisticated and even the most well-meaning of staff can be vulnerable. Busy workers, untrained members of staff and those who click first and think later are even more susceptible.
Taking all sizes of businesses and charities into account, the Cyber Security Breaches Survey found that 80% of the affected businesses had been subject to a phishing attack, such as an email from a manager requiring the urgent purchase of gift cards. Staff can easily be trained to spot phishing red flags yet only 27% of business staff had received cyber security training in the previous year.
Another area of risk is malicious activity by an internal member of the team, such as an embittered employee who copies data to share with a competitor or to set up on their own. With organisations often holding more data than they are aware of, and systems allowing the transfer of data to memory sticks, the risks are higher than they need to be.
Is non-malicious damage also a risk?
Absolutely. It is easy for employees to accidentally email sensitive information to the wrong email address or lose a laptop or mobile phone. Memory sticks are easily mislaid or are left lying in drawers. Confidential information can unwittingly be saved to public folders, putting the data within it at risk, or left lying on desktops.
How can SMEs reduce their risks?
Make sure you know your organisations policies and processes to make it easier to spot unusual activity.
This advice, part of the National Cyber Security Centres (NCSC) free online training perfectly summarises two key ways to reduce risk: provide training to all employees and implement and enforce policies/processes.
There are many free online training courses available. The NCSC training is particularly clear and can be integrated into your own E-learning platform. Another site packed full of useful resources is the Take Five to Stop Fraud website which helps to protect against financial fraud.
Employees should be required to regularly participate in cyber security training as risks are constantly changing.
The three Ps: processes, procedures and policies
Staff may not always jump with excitement when it comes to processes and procedures but, when it comes to information security, knowing what youre meant do is very reassuring. Who would you rather be, the person who took the business offline for hours because you fell for a fraudulent invoice or the person feted internally for saving the firms bacon by following procedures and uncovering a deceit? Recently on LinkedIn, a recruiter shared one such close call: an eagle-eyed member of their suppliers accounts team, luckily well trained, had thwarted an effort to divert a 140k payment to a criminals bank account.
Many SME owners worry that having too many policies and procedures can spoil the family feeling but we believe that flexibility is possible. For example, one firm may have a policy that bans personal phones completely, whereas another may allow the use of work email on a personal phone providing it is password protected. Once you’ve weighed up the risks, the solution is almost always clear.
The main point is that by having a policy or a procedure, the SME protects itself, protects its customers data and ensures it can take action in the case of non-compliance. If that seems harsh, ask yourself this, if an employee failed to shut windows and doors and put the alarm on before going home, would you let the matter slide or raise it immediately?
Introducing ISO 27001
ISO 27001 provides a structure for managing information within a company. It aims to protect the confidentiality, availability and integrity of information, without which your business can be disrupted and your reputation lost.
ISO 27001 is internationally recognised so gives clients and stakeholders confidence. Identifying, managing, treating and mitigating risk is at the core of ISO 27001, making it equally applicable to SMEs as to large corporates.
Contrary to legend, ISO 27001 doesnt just look at the security of the systems. It also encapsulates people, processes and physical aspects of security.
As ISO 17001 specialists, we saw early adoption by IT firms, followed by a raft of new clients from sectors which hold a large amount of personal data, such as lawyers and accountants. These firms sought to both protect data and provide recognised proof of their best practice.
More recently, we have seen a new generation of ISO 27001 clients. Although ISO 9001, the Quality Management Standard, is still the most popular standard we offer, ISO 27001 is now vying with ISO 14001, the Environmental Management Standard, for second place as service providers, charities and manufacturers recognise the dangers of being cyber complacent. GDPR has helped to make data security a board room issue and now more businesses are aware of the real cost of poor information security, they are more willing to invest time in securing their businesss future.
How ISO 27001 helps you win business from bigger companies
How would your operations be affected if your key suppliers business was disrupted for a few days or even weeks? The more suppliers you have, the bigger the risk your supply chain poses to your own business. Thats why many larger businesses are now asking their suppliers to be ISO 27001 certified. Indeed, many larger companies wont consider you without ISO 27001, whereas if you have the certification, you will gain instant kudos and hopefully a new contract!
Andy Pieroux, Managing Director of Walpole Partnership, said, “I’m very proud that we show our ongoing commitment to our clients and the security of their data by achieving the ISO 27001 standard once more. Cloud customers deserve to know that their sensitive data is safe, so we take this very seriously.”
ISO 27001 helped one of our clients, Bristol IT Company, to secure a prestigious contract to supply IT services to a Bristol City Council affiliated organisation which is home to a host of TV and movie productions including Poldark and Broadchurch. Without ISO, BITC would not have been able to tender for this, or other, public sector contracts.
Why SMEs have the advantage
If you’re a growing business, you want all your team to act the same way when it comes to information security. ISO 27001 will help with this. However much you firewall your systems, scan your emails and ensure you have resilient Internet connections, the humans within your company are still a point of vulnerability. You need to ensure they are all trained to the same level and follow the same carefully thought out processes and procedures, regardless of whether you have five or 500 employees.
Many of our clients say its a lot easier to implement procedures when you have a small number of employees than it is to add them later when your workforce has doubled or trebled. So, if you’re a SME, nows a great time to start thinking about ISO 27001. You can find out more in our free ISO 27001 online training module.
Jill Davis is a marketing specialist for ISO Quality Services Ltd (ISOQSL). ISOQSLs passion is to inspire organisational improvement and efficiency by providing unparalleled support. Contact ISOQSL today to find out more about how ISO 27001 can help you secure your businesss future.
