We’ve talked about the The Information Commissioners Office (ICO) several times here, most recently in Encrypt Before the Law Smacks It On. We talk about the ICO because it is one of the few governmental agencies, anywhere in the world, that has real legal powers to ensure that organizations keep private data secure. Knowing the quality of work that the ICO has created it is intriguing to see their latest project. The ICO is soliciting bids for a project to research and produce a report on the availability of advice on information security for small/medium sized businesses (SMBs).
The ICO says that “The aim of the project is to establish whether there is appropriate advice available on keeping personal information secure for small to medium sized organisations.” They want to understand what authoritative advice is available and how these information can best be made accessible to these small organizations.
Government Report on Security for SMB Organisations
On the one hand you have to wonder if the world needs another government report. But on the other hand I think back the number of small and medium sized businesses that have been featured within the electronic walls of this blog alone. When you read through the ICO enforcement page you will spot some large businesses like UPS – but there are many small businesses like a sole medical practitioner or small government agencies that have fallen prey to unsecured and unencrypted data.
A great deal of the ICO’s enforcement efforts concern the loss of personal data – most often the media which is not appropriately encrypted. In theory, Large organisations, whether in the public or private sector, should have the resources to enable them to either maintain an ‘in-house’ security capacity or to obtain support from those with specialist security expertise.
What is much less clear is whether there is sufficient advice and resources available for smaller organisations. While the organizations themselves might be smaller, some of them will hold vast repositories of personal information – on par or greater than a large organization. But it is the rare small organization that has the resources to afford to either retain ‘in-house’ specialists or to pay for the support of security consultants.
Just because you are small, it does not mean your database is small!
While we are months away from this report, indeed we are at least a month away just from the selection of the organization to handle this study, we can only hope that this study will highlight the value that security via software-as-a-service (SaaS) brings to the table.
Many large organization select SaaS tools like Alertsec to ensure the security of their hard drives; making a selection that is highly cost-efficient. However, if services like Alertsec did not exist, these large businesses would find other ways (albeit more expensive ways) to address the security issues. SMB often have a different challenge in that they have little to no budget for critical security projects. They might, and often do, think that they have no options. Only when they see the cost of ownership data to they realize that security and encryption are indeed possible in their small and underfunded world.
Software as a Service fits SMB
Hopefully, when the report with “advice on security for small/medium sized organisations” comes out in 2010 it will recognize the considerable options and benefits that SaaS provides for small and medium sized organizations.