Wednesday, December 12, 2007

Security and SME's

Dark Reading published an interesting article about information security in small and medium-sized enterprises.

In a study of some 455 companies ranging from one to 500 seats, eMedia found that 32 percent of small and medium-sized businesses (SMBs) have experienced some sort of security breach in the past year, and these breaches are changing the sector's viewpoint on security tools and products.
Source: http://www.darkreading.com/document.asp?doc_id=141124


Many security professionals often refer to terms like enterprise architecture, multi-layered controls, etc. The whole mind-set reflects a way of thinking that applies to large (multi-national) companies with hundreds, if not thousands, of employees. Yet, as Dark Reading points out, information security is something that is relevant on all levels. The relative importance of accidental disclosure or loss of data at a small company could have a much larger effect than it would have for a large organization.

Unfortunately, since SME's typically operate on smaller budgets, they are unable to hire full-time security staff, or even professional consulting. That is not necessarily a bad thing though; many people have pointed out that the dedicated profession of information security specialist will disappear with time, and security will become part of doing every-day business. While I do not share this opinion, it is an interesting observation.
The article closes with another quote:
"Computer users can be considered as the least predictable and controlled security vulnerability," said Andre Muscat, director of engineering at GFI Software. "In the majority of cases, a lack of education and an understanding of basic security principles and procedures are the main causes of security breaches, rather than malicious activity -- although the latter can never be ignored."

Technical measures can go a long way in preventing and in detecting security incidents, but as long as humans remain involved in processes, their ingenuity will find a way to circumvent controls and beat access control systems. And that is exactly why we will always need information security professionals; even though their focus might change.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.