Technology trends come and go, but when it comes to information security threats, we sit up and take notice. No organisation, regardless of size, wants to be the focus of the next major security breach headline, and current economic pressures mean that no one can afford to be complacent about potential lost revenues or clean-up costs.

Yet, while large enterprises and public sector organisations go to extraordinary lengths to protect their networks, confidential data and fiercely guarded reputations with sizeable budgets and dedicated security and risk professionals, small and medium-sized enterprises (SMEs) are struggling to keep up with the big boys.

SME attitudes to security and data integrity have changed radically over recent years, which has seen security become a much higher priority and budgets ring-fenced to deal with the unexpected. But for many, major cyber attacks are still ‘just for enterprises’. For midsize companies in particular, this is a dangerous mistake. There is a real need for concern as mid-market firms become increasingly exposed to sophisticated forms of attack by professional cybercriminals — lured by weaker defences and relatively inexperienced IT departments.

In the latest Information Security Forum (ISF) Threat Horizon report, cybercrime tops the list of threat predictions, reflecting a significant shift from amateur would-be hackers to organised international criminal syndicates. Indiscriminate attacks are being replaced by highly targeted, planned campaigns that use clever techniques like social engineering and crimeware designed to steal identities and information for fraudulent purposes.

The report also highlights a number of other challenges for businesses, including weaknesses in IT infrastructure, a tougher statutory environment, outsourcing and offshoring and the erosion of the network boundary. Mobile malware, Web 2.0 vulnerabilities, espionage, insecure user-driven developments and a blurring of the boundaries between work and personal life, make up the remainder of the Top 10.

Early adopter risks and challenges

This list is particularly worrying for both small and medium-sized enterprises, which in a bid to adopt new technologies first, including cloud based services, mobile applications and Web 2.0 technologies, are keen to gain competitive advantage.

Take cloud computing, for example, which is expected to dominate the IT landscape over the next decade. It offers smaller firms the kind of enterprise-level sophistication and state-of-the-art IT services they could only dream about, without the burden of upfront implementation costs or huge capital expenditure. But placing mission critical data in the cloud means you also place trust in a third party to store (and protect) this information and provide services that are core to your business.

So, how does a company with a modest IT department and/or security team and almost certainly no risk professionals on board cope with the challenges?

Third-party security is important, as a typical midsize business will deal with a number of service providers and partners across industry and geographical boundaries over its lifetime. This means different requirements, adherence to multiple standards and varied levels of maturity and sophistication in managing information security in the business relationship. Identifying and validating security arrangements even for a single third party requires time and effort, but multiply this several times and it becomes a major undertaking for any security professional.

Smaller companies are also under increasing pressure to meet strict levels of information security and risk analysis if they are providing products and services to much larger enterprise customers, who themselves are under pressure to meet governance and risk guidelines, and various forms of compliance.

Sharing the burden

It is demanding even for the largest organisations to build the level of understanding and skills needed to stay ahead of the very latest security challenges and risks and implement best practice, let alone the smaller high growth ones.

What we are seeing, however, is a positive trend among all businesses to share and harness their security knowledge and experience for the benefit of all — and a real thirst especially among midsize companies to learn from the experiences of more established peers.

Bodies like the ISF offer a collective knowledge and an environment where SMEs get access to the same world-leading research, benchmarking tools and methodologies, as well as dedicated healthcheck tools and best practice guidelines, to help them reduce their security risks.

For midsize business, return on information security investment can be difficult to measure and security is often sold to them on fear, uncertainty and doubt by vendors keen to make money from this potentially profitable market. What is clear though is that the cost of not rising to the security challenge is no longer an option, and understanding the way larger businesses have tackled security challenges in the past will provide a wealth of knowledge and best practice for the future.

About the Information Security Forum

The ISF is an independent, not-for-profit organisation that supplies authoritative opinion and guidance on all aspects of information security. By harnessing its world-renowned expertise and collective knowledge and experience of its 300 members, the ISF delivers practical solutions to overcome wide-ranging security challenges impacting business information today.

As an ISF SME Member, any employee involved in IT security, risk management and audit have unlimited access to over 400 authoritative reports along with powerful web-based security healthcheck, benchmarking and risk management solutions.