Although SMES have smaller budgets to address cybersecurity concerns, it does not mean they cannot create an actionable security framework. Sam Peters, Chief Product Officer, ISMS.online, explains why a clear and comprehensive information security policy is a must-have for SMEs and recommends five steps for a roadmap to a more robust policy.
Businesses of all sizes face risks from cybercriminals, and many face regulatory responsibilities. Small and medium-sized enterprises (SMEs), by their nature, have fewer resources to allocate to addressing these considerations.
Empowering people with the knowledge and tools they need to keep the organisation safe is the key to successful cybersecurity for SMEs, and it all starts with a clear, comprehensive information security policy.
An information security, or infosec, policy ensures that everyone in the business knows what they need to do to contribute to the organisation’s security, comply with regulation and keep data safe.
What makes an effective infosec policy?
If an SME has an infosec policy to begin with (most won’t!), there’s a good chance that it’s complex, rarely referenced and treated as a box-ticking exercise. It may have been drafted by a legal or tech professional, and staff may not even know where to find it. If the document is unapproachable, employees may conclude that it’s over their heads and ignore the policy altogether or come up with ways to circumvent it.
A successful policy should be something that employees continuously refer to rather than a box-ticking exercise. Technical specifics are important, but the policy should also be written in plain English so that everybody at every level of the organisation – and with any technological skill level – can understand how it applies to them.
Creating a clear, accessible infosec policy sets the tone for an SME’s culture, values and expectations. It must also be comprehensive: it needs to cover all areas of the business and explicitly state what is expected, what is forbidden and who is responsible for various data and security considerations.
A successful policy, if adhered to, will create actionable security frameworks within the organisation. It will ensure that data stored and handled by the SME remains confidential and accessible. The policy also reduces the risk and potential damage associated with a cyberattack and keeps the business in compliance with regulations such as ISO 27001 and EU GDPR.
It’s also important to remember that there are other stakeholders beside the SME and its employees. Customers, partners, and auditors, among others, often ask for assurance of an organisation’s security posture to limit their vulnerability. Businesses that cannot provide this assurance will ultimately have worse relationships and potentially lose sales, while those that have a clear policy will have a competitive advantage.
Creating a robust infosec policy
Whether an SME already has an infosec policy that it’s looking to build upon or starting from scratch, these five steps offer a roadmap to a more robust policy.
- Outline
An organisation’s infosec policy is a means to an end, not an end in itself. Clearly identifying that end goal and maintaining it as a consideration in every subsequent step ensures that the policy is focused and fit for purpose.
A great way to get an idea of appropriate objectives is to assess the risk landscape. What are the company’s vulnerabilities (including those from the supply chain), regulatory requirements and how much damage could be caused by incidents of different magnitudes – from data breach to total system outage? Once these are identified, decision-makers should rank them according to the business’s risk appetite.
- Purpose
With an understanding of the risks and requirements in hand, decision-makers can begin crafting the policy document. Fortunately, they don’t need to start from scratch – frameworks such as the ISO/IEC 27001 standards offer a clear set of requirements and ensure that a business has considered all aspects of its security policy.
- Scope
The next step is to identify who is responsible for what. This step is also a chance to increase buy-in. An imposed, top-down policy may be met with resistance, and it may not be designed with the realities of the business in mind. Conversely, a co-created policy spreads a broad sense of ownership and responsibility.
- Compliance
Even the best policy can’t carry itself out but ensuring that the policy becomes a part of the business’s operations is a challenge. This is especially true for SMEs where there is no C-suite head of cybersecurity to manage enforcement. Having a clearly written, specific policy will pay dividends here.
The best approach is to ensure that everyone in the business is regularly reminded of the content of the policy and the expectations for their role, such as through regular trainings. Line managers should also keep an eye on employees’ performance and set them straight if they stray from the policy.
- Management
Business, regulation and cyberthreats are constantly shifting, so an infosec policy can’t be a static document. To address this, the document itself can include a mention of how often it should be reviewed and updated. SMEs may also benefit from an information security management system (ISMS) – a central hub for conducting, maintaining and updating infosec policies.
Think ahead
Many businesses only realise the vital importance of a solid infosec policy after something has gone wrong. This doesn’t have to be the case! It doesn’t take long or require an unattainable level of expertise to create an effective infosec policy for an SME, it just takes foresight.
Organisations which maintain a clear, current policy will have a significant business advantage in terms of security, employee experience and customer trust.