SMEs, and efforts to safeguard

their Information

Richard HensonWorcester Business School

May 2009

“A business IS its data”

• SOME organisations take this message to heart…

• Why only some… ?

Size of Organisation is a Factor

• Large organisations WELL aware…– invested massively in their information/data and

protecting it since “mainframe” days– a matter of organisational policy

• Smaller organisations not so aware– may invest sporadically in IT, in response to needs– may not have an information security policy– may have a policy…. but not connect this with

business strategy

Organisational Culture - another factor

• Taking extremes:– “paranoid” organisation (blame culture)

• controlling• fear of messing up• shoot the messenger

– “open door” organisation (learn culture)• encourages dialogue• employees free to express ideas• listens to employee concerns

Senior Management & “IT Guys”

• Senior mgt have been know to believe IT sales talk above technical truths…

• Salesperson/expert may talk the same language & dress in same clothes as the SME boss– why should they believe the IT guy?

• Surprising that such perception persists to present day…

Whatever happened to the “hybrid manager”?

• Recognised that there was a problem back in 1990…– some large organisations wanted more IT

people in management

• British Computer Society (BCS) coined the term “hybrid manager”– some universities offered “MSc in Hybrid

Management– but with the early 1990s rise of “end-user

computing” the idea was quietly forgotten…

Result: worse-case scenario

• Organisation has…– no policy on Information Security– no policy on Information Risk

• Expectation…– the IT guys should sort all that out…

• Blame…– we pay them to look after our data– if we get data leakage it’s their fault…

Why is the “IT guy should handle it” analysis wrong?

• In the days of “end-user computing”…– ALL employees handle data

• all potential data leakers…

– and people screw up• not just with data…• but with everything else!!!

• How can their data handling problems be the IT guys fault???

How do small organisations cope with human ability to “mess up”?

– Manage it!!• people who don’t mess up don’t need (much) managing• anyone can mess up with data at any time

– even IT guys do it!!

– part of not being a machine

– intuition sometimes takes over…

» press delete key then think… I shouldn’t have done that!

– Requires policy and training• could ask the IT guy to arrange that

– IT guy probably wouldn’t know where to start…

• could bring in a consultant to work with the IT guy– better (depends on the consultant…)

A more enlightened Management approach to Information Security

• DON’T leave it to IT guys then blame them• DON’T outsource then problem to a consultant• DO… get personally involved

– certainly in policy making– preferably in training

• OTHERWISE?– Inland Revenue data loss scenario possible… – 26 million i.e. whole database

Management of Information Risk (continued)

• Nominate someone to take responsibility for the data...– the IT manager?

• develop policy & information security management system• provide training on the above• make sure everyone knows policy, understands &

remembers their training, shows good attitude

– is this realistic?• policy has to be established at top level• employees need direction:

– from the top– not the IT manager

How & why did academics get involved in all this?

• PCs started to link together in the late 1980s– DANGER!!!

• IT managers expressed concerns– IT management academics wrote about it– rest of the academic world ignored them…

• benefiting personally from end-user computing

• With no restrictions… everyone started using IT– often with little training or understanding…– E-commerce bubble then grew, unsustainably…– and eventually burst!!!

The .com bust: IT-associated academics

under fire?• .com boom really all about greed…

– getting more out of a mathematical model than its inputs

• Businesses blamed gurus and academics– many went bust– shockwaves across whole IT industry– most computer academics keeping well away

from economics…

Someone did come “unto the breach”…

• Ross Anderson (Cambridge Uni)– Instead, he wrote a paper: “just because the IT

security problem is hard, doesn’t mean we shouldn’t try to solve it”

• Bruce Schneier (a US IT practitioner & writer) picked up on this, and they became a double act– Anderson dared to ask, “do we spend too much on

security” at an academic conference– Schneier replied (for the industry) “no we do not”, at

the same conference– highly successful: clout & credibility– result: new academic field from nowhere, “Economics

of Information Security”

The Growth of “Economics of Information Security”

• An academic success in recent years– annual conference since 2002– research now receiving significant ESRC funding

• With respect to the esteemed Dr. Ross Anderson… (now a government adviser, the next Berners-Lee?)– the new paradigm would probably not have

happened if not for that academic-practitioner partnership

Why “Economics of Information Security” (EIS)?

• Main inputs were from economics, computing and security/risk management – psychology and organisational management also

involved

• Academics could now research matters relating to information security that directly focus on matters that the business are most interested in:

• efficient use of resources• information risk management• ROI• reputation• keeping legal

The development of EIS• Economics of Information Security rapidly

developed into four strands:– putting value onto corporate data– effects of a data breach on an organisation’s finances– costs to IT suppliers of developing secure software– education of senior management about Information

Security

• Not much research to date about value of personal data– might be of considerable importance to SMEs– could well have 1000 customers or more…

Adjacent new field: “Human Factors in Information Security”

• Particular interest to psychologists…• Research shows that large organisations

following agreed guidelines still getting data breaches– NOT by outside hackers– NOT by bribed insiders/insider with a grudge/both– BUT by employees not following data handling

procedures correctly!

• Hence, the need for employee education– but how to do it effectively…???

Further Adjustment of Management Approach

required…

• Human factors research identifies other problems:– how policy is disseminated & implemented– organisational culture– “product” not “process” thinking– general lack of data handling education

Where DOES security management work well?

• In a totally secure organisation– totalitarian state/secretive govt department!– if data misused in any way “we will have to kill

you” (or put you in prison)

• In a totally democratic organisation where education is paramount and people are trusted…– based on teamwork and people keeping each

other in line

Where does data security fail?

• If organisation is part-democratic, part-autocratic– many public sector organisations?

• BCS Security forums been alerting the UK media for years…– no-one listened until HMRC lost 26m records– Now confirmed by government report

• “Systemic Failure”

• Much more research needs to be done on data handling in such organisations

Conclusions

• Many organisations have cultures that mitigate against good data security– management may not recognise the problem

• Solution?– motivate management to take action– depends on the organisation

• public sector: human factors• business: economic factors• public/private partnership?

– more research urgently needed

Questions?

SMEs (my research focus)

• 95% of UK businesses• 84% of UK GDP• At a disadvantage as regards matters of IT

– limited resources & expertise– dependent on others

• plenty of evidence bad advice…

• At an even bigger disadvantage as regards IT security…

SMEs: Why Safeguard?• May be expensive!

– recession: I need to cut my spending not increase it

• Typical Risk Assessment:– slim chance of a breach– if so, pay small fine and move on…– more important things to be concerned with than their

data… (!)

• Culture of “my competitors don’t bother so why should I?”– popular myth; not strictly true– will eventually reach a “tipping point”

SME: Security problems solved by technology?

• “Technology and society” can be a management issue in itself– security technologies progressing rapidly…– perceived as easier to just buy the latest kit

• Senior Management suspicion of employees who might know more than they do… lack trust… won’t listen… etc.– may be especially true in a small organisation

Particular Problems for SMEs (1)

• Data Protection Legislation IS weak– organisation must nominate a “data controller” – on statute since 1984!!– first “high profile” conviction… in 2009– even that was misreported…

• SME often does not see the need for an information security management system– expects the IT hardware to do the security…

Result: Safeguarding Attempts don’t work!

• Typical “failed” investments:– surveillance cameras– the latest “black box” firewall– the latest technological buzzword in a box– the latest antivirus solution– all of the above…

Particular Problems for SMEs (2)

• Outsourcing– external provider prepared to do both “process”

(ISMS) and “product” (IT hardware)• data managed and stored elsewhere

– relatively expensive [but so are the IT guys (!)]– can’t be expected to understand the organisation’s

business processes, and information security policy…– whose responsibility for the data?

• probably not the outsourcer…• legal minefield• what happens to data if outsourcer goes bust?

Particular Problems for SMEs (3)

• “The Cloud”– presented as some wonderful space where

organisations can store their data safely– actually just part of the Internet…

• not much different to outsourcing• instead of data kept on outsourcers servers…

– same issues as outsourcing– but organisation’s data is now… on the Internet!!!

What can be done?

• SMEs need to be convinced:– that their organisations would collapse very

quickly without data…– that a data breach would be very bad for:

• their reputation• their bottom line

• Only then are they likely to seek compliance with guidelines and standards

One approach: “Value of Data”

• Public sector organisations not “for profit”• Not interested in “the bottom line” for corporate

or personal data• But businesses certainly are…

– makes sense to use economic factors as prime motivators for looking after their data…

– in recent years, EIS researchers have produced a number of tools & methodologies for encouraging businesses to save money by keeping their data safe…

Existing EIS research

• Affect of data breach on:– share price (falls…)– availability (without data,10 days survival

max.)– reputation (negative media headlines…)

• Mostly focused on corporate data…

• Much less about SMEs…

My PhD Research: part I

• Focus on SMEs

• MPhil: – study on how seriously they are currently

taking information security– will inform more focused work on

developing a model for SMEs to effectively secure their data at reasonable cost

My PhD Research: part I

• On-line questionnaire. Questions based on:– (i) developing an information security policy– (ii) basing their IS policy on their own business

processes– (iii) sharing knowledge of the IS policy across

the workforce– (iv) planning the implementation of that policy

through procedures to be adopted at an operational level

My PhD Research: part I

• MPhil questions (continued)– (v) undergo risk assessment for 135 potential

information security control to identify priorities– (vi) putting selected controls in place to operationalise

those procedures– (vii) claiming ISO27001 & PCI DSS compliance as a

result of actions (i) to (v)– (viii) having the controls subsequently and regularly

audited and becoming ISO27001 accredited

Methodology

• Distributed to an otherwise random sample of West Midlands SMEs– anonymity assured– identified only by sector and no. of employees

• Dissemination of results initially to participants, and then publicly

• Detailed analysis of findings presented as MPhil report– provides the basis for further research papers– be used to fine tune the focus for the PhD study

Likely PhD study: “Cost Effective Information Risk Management”

• Ultimate goal: – create a model for SMEs wishing to put an

information security policy into operation on a limited budget

• Intermediate goal:– risk assessment tool to cover all 135 controls

identified by ISO27001 so SMEs not put off and overburdened before they start…

Risk Assessment Tool

• Intended specifically for SMEs– existing tools focus on larger organisations

• Will assess risk of each potential control breaking down by using two dimensions:– how likely?– how much will it cost if the control is leaky?

Developing the model…

• Once principles of cost-effectively risk assessment are understood

• Individual SMEs directed towards prioritising security controls to:– have most impact financially– ensure a reduction in the potential for data breaches

• Then a matter of choosing most cost-effective way of operationalising that control, so it can be easily audited as required

A Matter of National Importance

• SMEs a major source of wealth for UK• Increasingly function in a global market• Evidence that (e.g.) Asian SMEs are

powering ahead with safeguarding information security systems– will get fewer data breaches– will enhance reputation– will get more customers, at the expense of

UK, European, and US small businesses

Questions?