It is easy to assume that an information security breach will not happen to you - half of all businesses think the same way. But as David Reed finds out, putting appropriate security measures in place need not be onerous if you adopt the DMA DataSeal.
How ready is your organisation to deal with a threat to its information security? If your answer was, “what threat?”, then you should be worried. But you would not be alone in your response. Half of all small and medium-sized businesses do not consider themselves an attack target, according to the Symantec State of Security 2011 report covering 2,000 SMEs.
This is despite the realisation that internal IT incidents, either by a well-meaning staff member or a more deliberate attack, are the second and third most significant risks to information security. Among those companies who have woken up to the potential risks, four out of ten are growing their security budgets (and manpower).
Investing in new technologies and staff is only part of the solution, however. To become better prepared to defend data or recover from an attack, organisations need the right information security processes in place. To understand what those processes should look like, it is a good idea to adopt an industry-standard framework as a guide.
ISO 27001 is the gold standard in terms of information security procedures and is widely adopted and recognised. Indeed, many organisations now insist on any partner handling data on their behalf having this level of accreditation. This standard is far-ranging in what it includes and this can make it harder for a SME to achieve - there may not be a human resources function to involve, for example, although this is one of the dimensions of the standard that gets audited. This public standard is also very focused on IT, rather than data management, and it proposes a framework for managing risk, rather than specific controls for dealing with it.
Achieving ISO 27001 does put a business onto the same footing as a wide range of often much larger and global companies, which may be an important factor in choosing it. There may be cost implications to consider, however. In a survey carried out by Certification Europe among companies who had undertaken ISO 27001, SMEs reported that it took a team of three to four individuals working for between six to 12 months on average to achieve the standard. The cost of this process was between £3,000 and £11,000 and it took 35 to 60 man days to complete.
As well as internal resources, this public standard nearly always requires the use of external consultancy to identify, plan and prepare to become compliant. This may be appropriate and acceptable to a company if it is competing against larger suppliers, but it can be a burden for mid-sized organisations and especially smaller ones.
DMA DataSeal is an alternative path which SMEs might choose to follow as it has been specifically developed to meet the needs of the mid-market, while still offering the rigour of a full standard. Indeed, developed as a partnership between the DMA and BSi, it represents a milestone towards full ISO 27001 accreditation at a later date should the company wish to pursue it.
DataSeal was developed as a private standard to meet a specific industry needs and reflect the exact nature of the data industry and its working methods. It involves an external audit and provides an external benchmark of compliance. The costs and challenges involved in achieving this private standard are usually considerably less than for ISO 27001.
The standard is best tackled using a small in-house team, but can typically be achieved in a three to six-month period (depending on the level of information security at the outset). An external consultant can help the business to help prepare for the final audit, but this is not always necessary - where it has been used, most companies can gain the support they need with just a handful of days’ consultancy.
Experience from multiple DataSeal audits has revealed some key areas in which organisations often need to make improvements in order to achieve certification. “Most companies struggle with risk assessment,” says Peter Galdies, director of DQM Group. Companies need to demonstrate a consistent and flexible framework for understanding risk factors. This need not be complicated - the DMA has an assessment tool to guide companies - but higher risk factors will need more sophisticated assessment. The key thing is to be able to demonstrate how risks have been looked at and then dealt with.
Similarly, the company should be able to track where any data it is handling is within the organisation. This is especially important when client data is involved, even if the tracking system is a straightforward job numbering process. “Often, companies don’t record what the data is and where it is,” warns Galdies.
Other challenges including policies around data retention and deletion and general documentation. “It is not unusual not to have a security policy or to have one and not know where it is kept,” says Galdies. Updating cycles and proof of staff awareness are also critical. “Personal best practice is not enough - you can’t just trust people to do what is right. They need training and support,” he says.
The purpose of the DMA DataSeal is to guide companies towards having these components in place so they do not get caught out by a challenge to their information security. Auditing these processes annually ensures that changes do not get overlooked and also proves to external parties a real commitment to keeping data to the appropriate standard.