Information Security Standards for SMEs
Are the Information Security standards for small and medium-sized enterprises (SMEs) different from larger enterprises?
Similar to larger organizations, SMEs have embraced information and communication technology. The vast majority of SMEs today use some form of information technology and most have an online presence.
The study “Canadian Business Speaks Up: An Analysis of the Adoption of Internet-based Technology” conducted by the Canadian Chamber of Commerce found that Canadian businesses, comprised mostly of SMEs, use the internet for general searches (91%), customer relations (86%), marketing (85%), online banking (72%) and operational matters (68%).
The study showed that the internet solutions most Canadian businesses used are wireless services (82%), business internet – wired lines (63%) and cloud solutions (54%).
The world economy is mostly comprised of SMEs. An estimate by the Edinburgh Group suggested that more than 95% of enterprises around the world are SMEs. The Science and Economic Development Canada, meanwhile, estimated that the Canadian economy is mostly comprised of small businesses (95%), followed by 1.8% medium-sized businesses and large businesses (0.3%). Better Business Bureau (BBB), meanwhile, reported that small businesses make up more than 97% of the total businesses in North America.
ICT as a Double-Edged Sword for SMEs
Positive impacts of being online cited by the Canadian businesses in the “Canadian Business Speaks Up: An Analysis of the Adoption of Internet-based Technology” study include acquire new customers (87%), enhanced customer service (83%), time savings (72%), improved efficiency (70%) and improved productivity (68%).
According to Perrin Beatty, president and CEO of the Canadian Chamber of Commerce, nearly half of SMEs in Canada have been a victim of a cyberattack. StaySafeOnline.org, a site maintained by the National Cyber Security Alliance, similarly reported that nearly half of all U.S. small businesses have been victims of cyberattacks and 71% of security breaches target small businesses.
Despite being the dominant target by cyber attackers, there’s a prevailing perception among SMEs that cyberattacks are mainly a threat to large enterprises. The Canadian Chamber of Commerce study showed that Information Security threats are underestimated by SMEs, with 64% indicating they have no intention of investing in Information Security measures at this time.
Information Security Standards for SMEs under EU’s GDPR
May 25, 2018 is the enforcement date of the European Union (EU) law General Data Protection Regulation (GDPR). Even as GDPR is an EU law, its coverage extends beyond the EU’s physical borders as this law also applies to organizations based outside the EU that act as data controller (processing personal data of staff or customers based in the EU) as a data processor (providing services to EU customers on behalf of another company).
Under GDPR, SMEs are expected to secure personal data – defined under GDPR as “any information relating to an identified or identifiable natural person” – of EU residents the same extent as bigger and better-resourced enterprises. This law, in particular, requires risk-based approach to securing personal data, that is, the higher the risk, the more rigorous the Information Security measures must be undertaken.
“The GDPR provisions for a risk based approach is horizontal as there are not exemptions or light weight approaches based on the organization size, availability of recourses and capabilities,” the European Union Agency for Network and Information Security (ENISA) said in the whitepaper “Guidelines for SMEs on the security of personal data processing“.
Similar to large enterprises, SMEs, therefore, have to identify the level of risk of personal data of EU residents, taking into consideration the nature, scope, type, volume and context of data processing and proactively implement security measures corresponding to the level of risk presented.
Article 32 of GDPR states:
“Having regard to the state of the art and the costs of implementation25 and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the controller and the processor shall implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk, including inter alia, as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data; (c) the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
Organizations in breach of GDPR can be fined of up to €20 million or 4% of annual global turnover whichever is greater.
Information Security Standards for SMEs under Canada’s Digital Privacy Act
The Digital Privacy Act amended Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) by requiring businesses, regardless of size, to report data breaches. Failure to do so will subject an organization of a fine of up to $100,000. Canada’s Digital Privacy Act is still not yet enforced pending the official release of the law’s regulations.
Under PIPEDA, if your organization chooses to outsource personal data for processing to a cloud service provider, your organization remains accountable for protecting your customers’ personal information.
In the whitepaper “Cloud Computing for Small and Medium-Sized Enterprises”, the Office of the Privacy Commissioner of Canada said that “all businesses in Canada, regardless of their size, are ultimately accountable for the personal information they collect, use and disclose even if they outsource personal information to a service provider that operates in the cloud.”
“The bottom line? If you are not comfortable with what a particular cloud provider is proposing, you should not transfer personal information entrusted to you by your customers to that provider,” the Office of the Privacy Commissioner of Canada said. “You should push back or take the time to shop around for a better solution.”
At GenX, we offer Information Security solutions that are compliant with local and international standards and regulations. Call us today at (416) 920-3000 to learn more and protect your data.