Small companies and security.

I was asked recently how a small company (say less than 5 employees) could ensure that those they used to provide them with digital services (such as cloud storage, website hosting and email services) were appropriately secure.  It is an interesting question and the answer is not too complex.

Clearly larger companies looking for suppliers will do their “due diligence” bit and will carry out checks on their potential suppliers both logical (perhaps penetration testing even) and physical (attending the premises and ensuring they can’t get in).  Small and micro companies do not have the resource or probably the skills to do that, so that have to rely on something else.

Doubtless some larger suppliers will point to their ISO27001:2013 certification and this is certainly a good start although by no means a bomb-proof assurance of security (see my earlier posting on this topic https://aquila-business-services.ltd.uk/security-and-assurance/).  But if the supplier is a smaller concern, perhaps a local company offering hosting facilities and services, then that certification will be too much of an investment, at least in effort, not to mention the cash required.  Cyber Essentials, the scheme set up by the UK Government is an excellent alternative.

If I were looking for a good supplier, large or small, if they couldn’t be bothered to get even this most basic of security certifications (the basic check costs no more than £300 + VAT from APMG International https://apmg-international.com/product/cyber-essentials) then I would question their approach to security. Other certification bodies are available!

If they had passed the basic certification and I was looking for a more extensive service from them, then I would expect them to be Cyber Essentials Plus certified which would give me some firm evidence that they are taking security seriously.  The external checks on their systems carried out by an independent expert, would provide me with some significant measure of assurance albeit with some short comings described in my earlier post.  It would, in my view, also provide some evidence to a regulator should the unfortunate happen and I was breached with an ensuing investigation.  The fact that I had required my supplier to have CE+ would, I think, at least provide a little mitigation.  It might even put them in the spotlight for fines and further actions if the critical four letters of GDPR came into play!

Post Tags
About Author: Andy Taylor

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.