The EU Agency ENISA [European Network and Information Security Agency] has released a pilot study of its simplified security approach for SMEs in Risk Management/Risk Assessment (RM/RA). The pilot study showed that in principal, the approach was appropriate for raising awareness for the protection of IT-infrastructure, but that further customization of the approach is needed and that further involvement of multiplier organisations is necessary.
Security for SMEs is crucial for Europe’s economy, as they represent 99% of all enterprises in the EU and ca 65 Mn jobs. As SMEs need simple, flexible, efficient and cost-effective security solutions, ENISA produced a simplified RM/RA approach for SMEs. The simplified approach is a ‘one-size-fits-all’ solution created for non-expert users and for small organisations with relatively simple IT-components. This approach has now been validated in this report.
The pilot study had a threefold objective:
(1) Validate the content of the simplified approach,
(2) Evaluate the applicability of the proposed RM/RA approach, and,
(3) Collect feedback and proposal for changes.
Three multiplier organizations from different business sectors were selected by ENISA to validate the pilot, as to reach out to as many SMEs/micro-enterprises as possible; GMV Soluciones Globales Internet (Spain), Outsourcer of Information Security Services, IAAITC (UK), Accounting association, and University of Bologna (Italy), public administration/education. Each multiplier brought in representative SMEs/micro-enterprises from their sector.
The following conclusions can be drawn from the pilot study:
- The ENISA simplified RA/RM approach received a generally high level of appreciation from the ca 15 MEs and SMEs involved in the pilot.
- The ENISA simplified RM/RA approach led to an increased level of awareness on the fundamental role of Information Security Risk Assessment and Management. Companies involved in the project were more motivated to improve their information security management approaches.
- It is unlikely that both SMEs and micro-enterprises could use the RM/RA simplified approach without at least initial, external support.
- Some simplifications/automated steps might be required to better target the audience of very small and micro enterprises.
- The multipliers agreed on the need to introduce some customizations to the ENISA approach (e.g. sector-based and market-segment-based etc.).
- ENISA’s strategy to involve multiplier organizations in the pilot was accepted by all participants. A further involvement of such partners is necessary.
The study will e.g., serve as a road-map for future ENISA activities in the area of SMEs.
This study is a validation of the ENISA deliverable “Information Package for SMEs".