Information security for SMEs

CONTENT

• Information security for SMEs
• Getting started with information security: ISO 27001 for small businesses
• Improved IT security for SMEs thanks to new controls
• NIS2: Why SMEs need to strengthen their cyber security
• Information security for SMEs - Conclusion
• In good hands with DQS
• Reading tip: Documented information

Information security for SMEs

Times have changed - and so have the cyber security requirements for SMEs. Many SMEs are growing rapidly and are often among the market leaders in their sectors. Therefore, they have a correspondingly high need to protect their usually unique know-how and business secrets - but in principle, all their data and information - from unauthorized access.

However, due to their limited resources, SMEs rarely have the necessary means for seamless information security at the enterprise level - even if they are aware of the security risks in the overall picture of information technology and data security. The shortage of specialists in the IT sector and the enormous costs of operating their own Security Operations Center (SOC) are just two of the many problems that stand in the way of SMEs optimizing their cyber security.

This is all the more problematic as SMEs face increasing attacks from cyber criminals, not least due to the tense geopolitical situation and increasing supply chain attacks. The spectrum ranges from ransomware sent en masse to targeted professional attacks against individual companies. Attackers are also increasingly using cloud services as a vector, which SMEs (have to) use particularly often for cost and efficiency reasons.

A survey conducted by the German insurance company HDI Versicherungen in 2024 revealed that 53% of small and medium-sized companies have already been the target of a cyber attack. However, this figure does not reflect the full extent of the attacks, but only documents those incidents that companies publicly admit. 

This impression is confirmed by the German "Gothaer SME Study 2024", according to which cybercrime represents the highest risk for 48% of SMEs. According to the study, 37% of small companies also expect the risk of falling victim to a cyber attack to increase further in the next twelve months. This does not include those information security risks that do not come from the network at all, but are of an internal, mostly personal nature, and play a significant role in the context of comprehensive information security. 

ISO 27001 for small businesses

As the information security officer (ISO) and data protection officer of a small or medium-sized company, you hardly have a choice these days: you have to ensure the security of sensitive data and information. This is not just about information technology security. Structural measures, organizational procedures and processes, and personnel requirements, must also be taken into account. The human factor also plays a central role in information security and must be taken into account accordingly.

The gold standard for systematic information security is the international standard ISO/IEC 27001. It provides an established test basis and guidelines for implementing information security management systems (ISMS) - for companies regardless of their organizational structure, orientation, or size. Annex A of the new ISO/IEC 27001:2022, which in its updated form addresses all aspects of information security - from organizational measures to personal and physical measures to technical security measures- offers a good introduction for small companies.

Improved IT security for SMEs thanks to new controls

The pragmatic nature of Annex A alone makes ISO 27001 a good choice for small companies. It comprises a total of 93 information security measures (controls), 11 of which were newly introduced in the last update in 2022.

The new controls focus primarily on the security of data and structures in the digital domain and thus offer valuable guidelines that can significantly improve information security for SMEs. Here is an overview of some of the new features and how small companies can benefit from them:

• 5.7 Threat intelligence, 8.16 Activity monitoring, 8.23 Web filtering
  These controls for the detection, prevention, and timely recognition of cyber attacks can be of almost existential importance for SMEs in terms of security and business continuity management. Small companies are not only vulnerable to cybercrime due to their limited resources, but can also quickly reach the point of general insolvency in the event of ransomware.

• 5.23 Information security for the use of cloud services
  As SMEs often use external cloud services, implementing suitable processes for acquiring, using, managing, and exiting cloud services is particularly relevant. The measure also takes into account the responsibilities between the cloud service provider and the cloud-using organization for appropriate cloud security.

• 5.30 ICT readiness for business continuity
  Business continuity is also essential for small companies as part of sometimes deeply integrated supply chains and to keep financial losses to a minimum. The control"ICT Readiness for Business Continuity" helps to create an appropriate organizational structure in the event of an incident and ICT continuity plans, including response and recovery procedures.

• 8.9 Configuration management
  The high-performance and secure operation of modern IT landscapes depends to a large extent on the proper configuration of all systems, components and applications involved. The good thing for the IT security of small companies: Once configured, monitoring processes can be implemented automatically for the most part, thus generating hardly any additional personnel costs. Secure configuration management in information technology falls into the area of technological or technical measures.

• 8.10 Deletion of information, 8.11 Data masking, 8.12 Prevention of data leaks
  SMEs often create a niche for themselves in the market through their unique expertise. This special knowledge is the key to their success and is therefore worth protecting. The technical measures in information security help companies avoid unwanted data outflows and data loss and minimize the attack surface for hackers and industrial espionage.

The controls in Annex A of ISO 27001 are of great value to SMEs, especially in light of the upcoming NIS 2 directive for industrial cyber security in the EU. 

NIS2: Why SMEs need to strengthen their information security

The European Union published the new version of the Network and Information Security Directive (NIS) at the end of 2022. NIS2 places new information security requirements on companies in critical sectors and will also affect many SMEs with regard to the protection of data and IT structures.

According to the NIS2 directive, companies with 50 employees or more and a turnover of 10 million euros from the relevant sectors must meet the requirements. SMEs are companies with up to 249 employees and a turnover of 50 million euros, so they are directly affected. However, it's important to realize that even smaller companies may also be indirectly affected by NIS2 via the supply chain, i.e. as suppliers to an affected company. In the country-specific implementation, which will come into force on October 17, 2024, these limits can also be shifted even further downwards.

SMEs do not have much time left to prepare for the new requirements. The good news: with ISO 27001, small companies can take a big step in the right direction, as the standard already covers a large part (approx. 95%) of the NIS 2 requirements.

Information security for SMEs - Conclusion

In light of current threat scenarios, small and medium-sized enterprises (SMEs), public administrations, and local authorities should also implement an information security management system in accordance with the internationally recognized ISO 27001 standard and consider certification. The advantage of an effective management system lies not only in the comprehensive and in-depth catalog of requirements, but also - and this is particularly interesting for SMEs - in the explicitly practice-oriented Annex A, which lists 93 security measures (controls) across four chapters in the new 2022 edition.

Regarding information security for SMEs, not only does the need to implement and certify a fully-fledged ISMS in accordance with ISO 27001 increase - just look at NIS-2 - but the structural requirements have also changed fundamentally in some cases. This is because today, many SMEs already have a certified quality management system in accordance with ISO 9001, meaning that the foundations for an integrated management system together with ISO 27001 are already in place, saving time, personnel, and costs. ISO 27001 for small companies is therefore within reach.

In good hands with DQS

Our certification audits provide you with clarity. The holistic, neutral external view of people, processes, systems, and results shows how effective your management system is and how it is implemented and controlled. It is important to us that you perceive our audit not as an examination, but as an enrichment for your management system.

Our approach always begins where audit checklists end. We specifically ask "why" because we want to understand the reasons why you have chosen a particular way of implementation. We focus on the potential for improvement and encourage a change of perspective. This thorough approach ensures you'll identify actionable areas for continuous improvement in your management system.

Reading tip: Documented information

The speed with which information is distributed and processed is a major challenge in today's organizations. The diversity of information makes it increasingly difficult to identify the crucial information that is relevant to the organization and its management system.

At the same time, the use of modern means of communication to control documented information is giving rise to entirely new aspects. Availability, integrity, and confidentiality are therefore becoming increasingly important. However, as the degree of availability increases, information security decreases unless appropriate protective measures are taken.

Trust and expertise

Our texts and brochures are written exclusively by our standards experts or long-standing auditors. If you have any questions about the text content or our services to our author, please contact us.