If you run a small or medium-sized enterprise, then you’re probably up to your eyes in government red-tape, and legal and regulatory obligations, and that’s before you start to actually run and operate your business in order to make a living.
A key component in the smooth running of your business is information. That information may take on many forms – customer or supplier details, financial data or secret recipes for the perfect carrot cake – whatever it is, it is vital to your organisation. As such you need to make sure it is protected, kept from your competitors, guarded against public disclosure and available as and when you need it.
This is why good information security management and practices are as important to you as they are to the ‘big boys’. The major banks and corporations employ dedicated staff to manage their information security risks. You probably don’t have that luxury, but you still need someone to take responsibility for information security.
At this point, many SME managers and business owners claim they don’t have the time for information security, they don’t have the resources, it isn’t important to them, or they can’t afford it. After all, you’re only a small business, your IT people take care of that side of things, and you’re not at risk.
The information and data you use on a daily basis is the lifeblood of your business. Can you imagine if you had none of it? If one day you turned up at the office and all of your paperwork was blank? All of your computers had been wiped? Where would that leave you?
But it isn’t just the total loss of information that is of concern in the modern world. Criminals, including the so-caller ‘cyber’ criminals, want your information and my information. They want personal and financial details from as many people as they can for a variety of reasons, including identity theft. Even corporate data is now a target for the unscrupulous members of society.
So how would your company survive, particularly in the current economic climate, if it was discovered that your customers’ bank accounts were being drained, that identity thieves had access to personal data that could only have come from your business?
Apart from the obvious, potentially fatal, legal and regulatory fines, a well publicised incident of this nature would have a disastrous effect on your brand and business reputation. Even accidental disclosure of sensitive personal information is jumped on by the press, and that is without any direct criminal involvement.
If you hold personal information relating to living individuals, you fall under the jurisdiction of the Data Protection Act (DPA), if you handle financial information for individuals or other businesses you are very likely regulated by the Financial Services Authority (FSA), and if you handle credit and debit card payments you will almost certainly have to comply with the Payment Card Industry Data Security Standards (PCI-DSS). All of these mean you must adhere to minimum standards for information security for regulatory and/or legal reasons.
At the end of the day, information security is as important to SME businesses as it is to anyone, so the question isn’t really “why do you need to worry about information security?” but “can you afford NOT to worry about information security?”