When it comes to IT security, government agencies around the world are aware of the challenges and risks small and medium-sized enterprises (SMEs) face. So it only figures that they offer help, in the form of initiatives aimed specifically at SMEs. Germany has one of the most active administrations in this respect, as it finances or supports a whopping 21 initiatives.
And while the U.S. government would do well to follow Germany’s lead and further IT security by offering numerous assistance programs to SMEs, unfortunately, a recent study from management consultancy Detecon International shows that most U.S. initiatives are focused on admonitory finger-wagging rather than hands-on help with implementation. Yet, hands-on help is exactly the type of assistance that would have the biggest impact on raising the security level of SMEs.
Most German public initiatives prioritize awareness of the issue at the upper management level. However, only a small part of the surveyed initiatives – 35 percent – can be mapped to concrete measures within the Federal Office for Information Security (BSI) IT baseline protection catalogs. Furthermore, 36 of 56 assistance programs analyzed lack a concrete goal with achievable benchmarks for success. Instead, they focus on information security as a whole and therefore try to pursue many targets at once, with a shotgun, light-handed effect.
Naturally, IT security has to be approached holistically. There is no use securing remote access for employees with a VPN when a company’s Wi-Fi network is open and therefore accessible from outside the enterprise. But because SMEs have usually only limited resources at their disposal, it is important to prioritize and focus on the specific areas that can have the greatest impact on their overall security.
First and foremost, glaring security leaks and problems have to be addressed and remedied. This requires planning, documenting, and implementing well-conceived processes as a first step, and, only then, putting technical measures in place. This kind of help could easily be granted in the form of consultations or telephone support.
When these initiatives fall short of their objective, it’s often because of the lack of involvement of SMEs, as knowledgeable partners in the design of the support programs. Not all SMEs have to play catch-up security-wise. There are quite a few companies with robust, and above all, practical, IT security implementations in place. These are exactly the kind of SMEs that need to be involved in developing the initiatives because they know exactly what the problems are for their peer group.
Unlike in Germany, today in the U.S. there are no dedicated efforts to ramp up IT security for SMEs or tangible programs for providing help. Among the rare exceptions are initiatives that originate at the U.S. Small Business Administration (SBA), which supports SMEs through loans and consulting work and has brought the “Cybersecurity for Small Business” program to life. SMEs can attend a webcast that demonstrates the basics of IT security.
Closely related are workshops from the “Small Business Corner” initiative, which organizes four-hour workshops for SMEs all over the U.S. The agenda covers general IT security and threats as well as tools and techniques for circumventing attacks. Of course, these workshops are not customized for individual SMEs, but rather try to kick-start general awareness and provide education on how to patch the most blatant security blunders.
A much better approach is used by the German “Initiative S,“ which offers money vouchers for participating SMEs that can be used to pay IT security consultants that work out a detailed and tailor-made IT security plan. A similar program for U.S. businesses would generate positive network security results and perhaps help prevent the next big breach.
Want to learn more about securing M2M communications? Download our whitepaper “Managing Secure Communications in M2M Environments” to find out more.
In Managing Secure Communications in M2M Environments, we cover:
– How to choose a connection method that’s right for your application.
– How to configure end devices so they can perform authentication steps.
– How to manage VPN configurations and updates without human interaction.