Laying the Foundation Stones for IT Security

First of all a general question. Why is there a lack of IT security in small and midsize companies?

There are several reasons for this. It is still the case today that security is too often seen as a technological issue and then only tends to be considered in terms of investment costs in IT systems. The view that employees and management activities can help considerably to improve IT security is not yet reality everywhere.

What’s more, SMBs do not see themselves as being organizations that are in any way under threat. The mere fact that viruses make no distinction between large and small companies indicates that SMBs are also at risk and must therefore take action. This, for example, encompasses fully elaborated and binding rules that establish a documented form of regulation. This does not just apply to technical matters but also issues such as how to handle business-critical documents or regulate visitor access. Companies that have recognized this are really making an effort where their own IT security is concerned.

What was the motivation for publishing a Best Practice manual about IT security in small and midsize businesses?

I will have to go back a bit here. The benefits of IT security guidelines only become obvious if they have also been formally recorded in writing. This makes them binding and establishes defined responsibilities. Having said that, however, this is often a difficult task particularly for smaller SMBs. This is exactly what we experienced at the Security Forum of the Security research group in the Hamburg Chamber of Commerce last year. In the course of the discussions, the participants called for tools to be made available to help small and midsize businesses in particular implement IT security measures. A number of the participants mentioned that existing publications such as the Basic Protection Manual of the BSI (Bundesamt für Sicherheit in der Informationstechnik – Federal Office for Information Technology Security) were unwieldy and lacked transparency. We saw this as a challenge and took it upon ourselves to create a clear and easy to understand set of guidelines tailored to the needs of SMBs. To be honest, this was not always easy but at the end of the day, the result has proven that our efforts were worthwhile.

What are the concepts behind the manual?

The target group are decision-makers at SMBs. It is not the purpose of the manual to provide a full description of all the necessary and possible security issues. Rather, its role is to highlight the key issues, which in the opinion of the members of our research group are necessary but which often have still not been implemented in practice. The manual does not go into all issues in great depth, but rather focuses on those areas that must be addressed most urgently. Our aim was to encourage SMBs that employ between 10 and 100 people to develop a comprehensive understanding of IT security. That is why the topic is also divided up into the three levels management, personnel, and technology. Fundamental concepts are explained and the legal aspects of the issue are also expounded. Many managing directors or owners of incorporated enterprises, for example, are not at all aware that they will be liable if there is no virus protection provision in their companies and this fact harms customers or business partners or results in losses for lenders and investors.

IT security manuals do in fact already exist, such as the ones published by BITKOM or by the Federal Office for IT Security (BSI). So what distinguishes the manual published by the IT Security research group from these ones?

Most manuals are written for people who already know what they are doing or who really want to be very intensively involved with IT security issues. But the decision-makers, for whom IT security is just one of many issues they have to deal with in their day-to-day activities want brief, concise instructions without extra unnecessary information.

Have you had any response yet from SMBs to the manual?

The feedback has been much more positive than we expected because when it comes to improving their IT security measures, SMBs find the manual helpful and it provides them with relevant solutions. We appear to have bridged a shortfall in communication between the security experts and the actual decision-makers in the SMBs. The first printed version is already out of stock. That is why the manual can currently only be downloaded from the Internet.

The manual has been quite deliberately created as an open concept that is to be extended on an ongoing basis. Do you have any thoughts or plans at the moment as to what other topics should be included?

This version (1.0) is the result of several brainstorming sessions involving members of the research group and is influenced heavily by their experiences. In version 2.0, which we want to publish next year, we will integrate feedback from users to gain a deeper appreciation of the requirements of SMBs and to be able to address their specific IT security problems in even more detail. We would welcome any comments or feedback (send e-mail to ). This feedback will be incorporated in our manual, thereby ensuring that the relevant issues are developed on an ongoing basis, since IT security is an area that also requires SMBs to plan and think ahead. And as far as this is concerned, if companies do not lay the building blocks in good time, they will pay the price at some point or another.

Dr. Andreas Schaffry
Dr. Andreas Schaffry