ICO publishes SME security guide with veiled warning

Shape up or risk fines

The Information Commissioner's Office (ICO) has published a security guide for UK SMES it hopes will serve as a veiled warning that the sector needs to sharpen up its data protection.

With £500,000 fines possible, A Practical Guide to IT Security sets out the basics from risk assessment and the need to layer security systems to explanations of the types of security that should be considered.

As well as describing the broad concepts that preoccupy security today - the need for patching, a decent firewall and encryption of personal data - the guide also warns SMEs not to take their eye off IT contractors often tasked to look after some of these complex processes.

"While we recognise that the biggest companies and organisations will have many of these strategies already in place and have spent a great deal of money on securing their IT systems, smaller enterprises often tell us that they would benefit from simple and clear advice specifically designed for them," said Information Commissioner, Christopher Graham.

"This guide aims to support these companies by providing a starting point and recommendations that cost little to adopt, but can significantly reduce the risks of a serious data loss and the reputational and financial damage that can result," he said.

An obvious problem with any guide stretching only to eight pages of summary points is that it either be too basic for firms with some experience of security, but too abstract for those looking for more specific technical direction.

"While this guide is certainly a great step in the right direction in helping companies of all sizes to protect their corporate information, the ICO needs to ensure that it keeps jargon to a minimum as it continues to educate the vast array of UK businesses and the intellectual property they possess," commented Ollie Hart of security vendor, Sophos.

"The key to SME security is to make policies and technologies as simple and accessible as possible, but this guidance feels like it's aimed at those who already have a considerable level of IT and security awareness."

But as the guide makes clear in a key paragraph, the debate has moved on from the technical worthiness of security policies and the complicated hardware - retribution is now more than a possibility for companies that get careless with data.

"Since November 2010 the Information Commissioner's Office has had to serve civil monetary penalties totalling over £1.5 million on organisations that failed to take the necessary measures to keep people's information secure," said the ICO's Graham.

Certainly the ICO has been busy fining miscreants, but these are overwhelmingly sizable public sector organisations. A good example would be the hefty £225,000 fine handed out earlier this week to the Belfast Health and Social Care (BHSC) Trust for failing to secure staff and patient records.

For now, the gulf between the ICO's well-meaning advice and the complex concerns of a diverse sector unaccustomed to oversight looks to be ominously wide.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts