The Information Commissioner’s Office (ICO) has published a security guide for UK SMES it hopes will serve as a veiled warning that the sector needs to sharpen up its data protection.
With £500,000 fines possible, A Practical Guide to IT Security sets out the basics from risk assessment and the need to layer security systems to explanations of the types of security that should be considered.
As well as describing the broad concepts that preoccupy security today – the need for patching, a decent firewall and encryption of personal data - the guide also warns SMEs not to take their eye off IT contractors often tasked to look after some of these complex processes.
“While we recognise that the biggest companies and organisations will have many of these strategies already in place and have spent a great deal of money on securing their IT systems, smaller enterprises often tell us that they would benefit from simple and clear advice specifically designed for them,” said Information Commissioner, Christopher Graham.
“This guide aims to support these companies by providing a starting point and recommendations that cost little to adopt, but can significantly reduce the risks of a serious data loss and the reputational and financial damage that can result,” he said.
An obvious problem with any guide stretching only to eight pages of summary points is that it either be too basic for firms with some experience of security, but too abstract for those looking for more specific technical direction.
“While this guide is certainly a great step in the right direction in helping companies of all sizes to protect their corporate information, the ICO needs to ensure that it keeps jargon to a minimum as it continues to educate the vast array of UK businesses and the intellectual property they possess,” commented Ollie Hart of security vendor, Sophos.
“The key to SME security is to make policies and technologies as simple and accessible as possible, but this guidance feels like it’s aimed at those who already have a considerable level of IT and security awareness.”
But as the guide makes clear in a key paragraph, the debate has moved on from the technical worthiness of security policies and the complicated hardware – retribution is now more than a possibility for companies that get careless with data.
“Since November 2010 the Information Commissioner’s Office has had to serve civil monetary penalties totalling over £1.5 million on organisations that failed to take the necessary measures to keep people's information secure,” said the ICO’s Graham.
Certainly the ICO has been busy fining miscreants, but these are overwhelmingly sizable public sector organisations. A good example would be the hefty £225,000 fine handed out earlier this week to the Belfast Health and Social Care (BHSC) Trust for failing to secure staff and patient records.
For now, the gulf between the ICO's well-meaning advice and the complex concerns of a diverse sector unaccustomed to oversight looks to be ominously wide.