Risk Management and Risk Assessment for SMEs scrutinized- how appropriate is the ENISA simplified security approach?
Security for SMEs is crucial for Europe's economy, as they represent 99% of all enterprises in the EU and ca 65 Mn jobs. As SMEs need simple, flexible, efficient and cost-effective security solutions, ENISA produced a simplified RM/RA approach for SMEs. The simplified approach is a 'one-size-fits-all' solution created for non-expert users and for small organisations with relatively simple IT-components. This approach has now been validated in this report.
The pilot study had a threefold objective:
(1) Validate the content of the simplified approach,
(2) Evaluate the applicability of the proposed RM/RA approach, and,
(3) Collect feedback and proposal for changes.
Three multiplier organizations from different business sectors were selected by ENISA to validate the pilot, as to reach out to as many SMEs/micro-enterprises as possible; GMV Soluciones Globales Internet (Spain), Outsourcer of Information Security Services, IAAITC (UK), Accounting association, and University of Bologna (Italy), public administration/education. Each multiplier brought in representative SMEs/micro-enterprises from their sector.
The following conclusions can be drawn from the pilot study:
- The ENISA simplified RA/RM approach received a generally high level of appreciation from the ca 15 MEs and SMEs involved in the pilot.
- The ENISA simplified RM/RA approach led to an increased level of awareness on the fundamental role of Information Security Risk Assessment and Management. Companies involved in the project were more motivated to improve their information security management approaches.
- It is unlikely that both SMEs and micro-enterprises could use the RM/RA simplified approach without at least initial, external support.
- Some simplifications/automated steps might be required to better target the audience of very small and micro enterprises.
- The multipliers agreed on the need to introduce some customizations to the ENISA approach (e.g. sector-based and market-segment-based etc.).
- ENISA's strategy to involve multiplier organizations in the pilot was accepted by all participants. A further involvement of such partners is necessary.
The study will e.g., serve as a road-map for future ENISA activities in the area of SMEs.
The Executive Director of ENISA, Mr Andrea Pirotti comments: "We all know that the SMEs constitute the basis of Europe's economy. Therefore the validation of a simplified risk management approach for these companies is crucial. With this approach, the necessary steps and appropriate measures for increased security can be taken."
For full report: http://enisa.europa.eu/...
Background: This study is a validation of the ENISA deliverable "Information Package for SMEs" (see "ENISA Deliverable: Risk Management- Information Package for SMEs").
ENISA - European Network and Information Security Agency
The European Network and Information Security Agency (ENISA) is an agency of the European Union. ENISA was created in 2004 by EU Regulation No 460/2004 and is fully operational since September 1st, 2005. It has its seat in Heraklion, Crete (Greece).
The objective of ENISA is to improve network and information security in the European Union. The agency has to contribute to the development of a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union, and consequently will contribute to the smooth functioning of the EU Internal Market.
ENISA assists the Commission, the Member States and, consequently, the business community in meeting the requirements of network and information security, including present and future Community legislation. ENISA ultimately strives to serve as a centre of expertise for both Member States and EU Institutions to seek advice on matters related to network and information security.