ISACA, formerly the Information Systems Audit and Control Association, has released two new guides to help small and midsized businesses (SMBs) determine their data security requirements and roll out a sound strategy. Titled Cybersecurity Guidance for Small and Medium-sized Enterprises and Implementing Cybersecurity Guidance for Small and Medium-sized Enterprises, the reports are available to purchase on the ISACA website for $35 for each for ISACA members or $60 each for non-members.
But why should small business owners listen to what the ISACA has to say?
The organization serves 140,000 security professionals in more than 180 countries. Apart from its educational and outreach programs, the company also administers some of the industry's most highly-regarded certifications. These include Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC).
Of course, between minding the shop and keeping an eye on the bottom line, many small business owners can't spare the time to become security experts. So taking its latest enterprise-class Control Objectives for Information and Related Technology (COBIT 5) framework, ISACA got to work and developed a set of tough-to-crack small business security standards along with advice on how to safeguard the systems and devices that process and store vital business information.
And small business data is worth protecting, according to Eddie Schwartz, president and COO of digital advertising security firm WhiteOps, international vice president of ISACA, and chair of the group's Cybersecurity Task Force.
Real Security Risks to Small Business
"The backbone of our economy is small and medium-sized business," Schwartz told Small Business Computing. "A lot of innovation and new ideas come from small companies," he said noting that startups and labs with a handful of researchers are advancing several industries, like biomedical devices.
"Their IP [intellectual property] would be very attractive for economically-driven companies" that have no problem with using illicit means to steal those innovations, Schwartz warned.
Robert E. Stroud, international president of ISACA and vice president of strategy and innovation at CA Technologies, echoed Schwartz's views in an official statement from ISACA. "Today, cybercrime and cyber warfare are not restricted to large enterprises—SMEs [small and medium-sized enterprises] are being targeted, as well. No enterprise is 100 percent secure."
Sadly, but somewhat understandably, small business security struggles to get attention in the face of major breaches affecting large corporations and even the U.S. government. "That entire area of economy has basically been dark in some respects for years," Schwartz said. They're just as vulnerable to "nation-state attacks [and] advanced criminal element attacks that we're facing today."
Despite lacking the IT security personnel and resources of large corporations, there are ways SMBs can fight back. Written specifically for SMBs, the two ISACA guides help businesses ascertain their security needs and come up with a plan that leaves them well-positioned to navigate a constantly shifting security landscape.
"Stakeholders need to understand that cybersecurity is a constantly evolving process—not an end result," said Stroud in a statement. "These guides are well-designed to help smaller organizations implement robust security strategies and governance."
A Secure Small Business Starts with an Informed Owner
At the very least, the guides will help business owners ensure that their IT security solutions providers can live up to their promises. "Challenge them to show that they can provide the competencies that you don't have," Schwartz advised. "An informed business owner will ask the right questions."
Schwartz also advises that SMBs take stock of their organizations' assets to get a handle on what requires protecting. It's not only PCs, servers and mobile devices that require attention, he noted. Accounting for "people and the knowledge people have, intellectual property and financial assets," goes a long way toward implementing an informed data security strategy.
"Understanding the threat landscape," is also critical to protecting small business data. Entrepreneurs toiling away at the next must-have tech or invention shouldn't underestimate the lengths some rivals will go to get their hands on innovative intellectual property.
Schwartz suggests small business owners ask themselves, "Who might be interested in this?" The answer will help guide their security decisions and put them in the proper, security-conscious frame of mind.
Pedro Hernandez is a contributing editor at Small Business Computing. Follow him on Twitter @ecoINSITE.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|