| A+ | A- | R | Site feed

Being competitive means being secure

Technology - Features

Friday, 12 January 2007

Companies of all sizes and in all sectors are benefiting from the competitive advantages offered by advanced technology.

Small and medium-sized enterprises in particular are becoming integral partners of larger companies in online supply chain operations by their ability to synchronise operating systems and share real-time data using the internet. However, gaining the benefits offered by technology can add up to nothing if it comes at the expense of a company’s security and the safety of key business data and commercial assets.

The ever-increasing sophistication and ability of organised criminals and individual hackers to use the internet for criminal activity has meant an increasing importance being placed on the need to protect information and business data when online. As a result, larger firms are more likely to want to do business with SMEs that can demonstrate they have considered security issues and understand the need to protect partner data shared online. However, finding the right balance between being a competitive business partner and a secure, trusted partner can seem daunting to many SMEs. Information security technologies, strategies, policies and procedures can also appear too abstract for SMEs. That is, however, until disaster strikes.

This is why the CBI, in partnership with the Department of Trade and Industry and accountancy firm Ernst &Young, has produced Securing Business Value Online: a guide for SMEs in supply chains. The following is a summary of the key areas focused on by the guide that SMEs should address to ensure they, and their partners, are secure online. The sections below do not provide all the answers. Rather, they are aimed at raising understanding of the current threat environment and showing the simple steps that can be taken to reduce the chance of becoming a victim of a security attack.

Forwarned is forarmed: assessing the risks

Being aware of the threats, vulnerabilities and risks of operating online is the first line of defence and essential to formulating an effective security strategy. The most well-known external threat is probably the computer virus. Other well-known attacks involve unauthorised access to computer systems, commonly known as hacking. It is worth considering if an intruder does gain access to your system that files using titles such as confidential are likely to attract the attention of those looking to steal critical information.

Companies are also facing increased risk of data theft, alteration of information assets and illicit use of company systems and networks. For example, firms that process and store financial and individuals’ personal data are increasingly at risk from collusion between staff and criminal gangs to gather and steal valuable information. Technological devices, such as PDAs or USB sticks that can be easily plugged into office computers, are increasingly being used by malicious employees to download sensitive data.

All types of threats should never be looked at in isolation, but always as part of a risk assessment process. This involves identifying the assets that need to be protected and the systems that are critical to achieving business objectives and everyday tasks, as well as assessing the likely impact of an attack to your business. For example, a hacking attack may occur infrequently, but can still have a critical impact on a company. Therefore, a high level of security may be needed to protect computer systems from such an attack. The overloading of a company email system by spam, for example, may happen frequently, but the overall impact to business operations may be low.

Building a security strategy: risk management in action

Having assessed potential threats, it is important to create a security strategy that can develop with the needs of your business and the changing threat environment. A security strategy should take into account every system, network and technology device used and accessed by the business, its personnel and supply chain partners where appropriate. It is important to develop a strategy that incorporates your connections with supply chain partners and shares your policies and procedures with them. Developing and regularly reviewing security polices in collaboration with supply chain partners can help to build trust, which, as in all relationships, is essential to building a good partnership.

Part of developing and deploying an effective security strategy is having clear policies in place for technology usage and educating employees on security threats and online dangers. Your employee may be your greatest asset, but they may also be your weakest link as far as information security is concerned. For example, employees often take laptops home where they connect to the internet. This is one of the most common ways in which viruses are introduced into the work environment.

Assessing your security strategy: requirements and responsibilities

An effective security strategy must take into account not only changes to internal and external business practices, but also the need to comply with a range of legislation, regulation and standards. These may include the Data Protection Act, Privacy and Electronic Communications Regulations 2003 and IS0/IEC 27001 (BS7799).

The intention of such rules is to ensure that businesses put in place effective mechanisms for the management of company information (personal, financial and operational) and partners’ data. Regularly assessing, reviewing and auditing the effectiveness of your company’s security strategy, procedures and systems against such rules can demonstrate to partners that your company takes security seriously and is meeting its legal and regulatory requirements to comply with standards.

Technological solutions: optimising online investment

Software and hardware are vital to enhance the level of security in your organisation. However, it can be difficult for SMEs to justify investment in such technologies with security still viewed as a cost, rather than a business, enabler. While cost remains a factor in the choice of systems, remember that information security boosts your company’s ability to compete in a global marketplace and to offer high-quality, value-added services to customers.

Some of the technological solutions currently available include firewalls, intrusion detection systems, cryptography and software patches. However, technology does not hold all the answers.

Technological solutions introduced should be appropriate to how the business operates on and offline. For example, not all company information or systems will need the same level of security. An appropriate security strategy needs to balance the cost of investment in technology against the value of business activity and data. It is also important to conduct regular reviews and assessments to ensure the technology remains effective to the business’ needs.

Response and recovery: who are you going to call?

Assessing and absorbing the costs of damage inflicted by a security attack is a painful process, and bearing exorbitant response and recovery costs due to inadequate preparation just adds insult to injury. However, a well-planned and proactive incident response programme can set in motion recovery processes that allow staff to return to their day-to-day work quickly and business operations with supply chain partners to function normally.

If an incident that affects your ability to deliver goods or services does occur, it is better to tell supply chain partners and customers as soon as possible. They will probably prefer to be informed up front, rather than face communication problems or a late or cancelled delivery. Other external people and organisations that might need to be contacted may include the police, insurance companies, lawyers and main customers. Good communication with staff is also essential; it is important they know the situation and feel they are being considered.

Following any security incident, it is vital to review security strategies to ensure policies and technologies remain effective following an attack and to determine where further action may be needed to prevent similar action occurring in future.

For SMEs trading online, information security should not be seen as an inhibitor to growth or an additional cost, but rather as a business enabler. By investing in appropriate technological solutions and implementing security strategies, SMEs are able to promote themselves to potential partners and customers as trusted business partners that understand and recognise the important of being secure online.

And security should not also be seen as a one-off task. It is an ongoing challenge and requires businesses to regularly assess the effectiveness of their security measures and adapt them as the threat environment evolves.

SMEs that understand and are prepared for online attacks will have a key business advantage of being able to take full gain of new business and market opportunities, and stand out from less quality-conscious, insecure competitors as trustworthy, higher value and competitive business partners online.