Risks and SMEs

Back to News

Risk Management and Risk Assessment for SMEs scrutinized- how appropriate is the ENISA simplified security approach? The EU Agency ENISA [European Network and Information Security Agency] has released a pilot study of its simplified security approach for SMEs in Risk Management/Risk Assessment (RM/RA). The pilot study showed that in principal, the approach was appropriate for raising awareness for the protection of IT-infrastructure, but that further customization of the approach is needed and that further involvement of multiplier organisations is necessary.

Security for SMEs is crucial for Europe’s economy, as they represent 99% of all enterprises in the EU and ca 65 Mn jobs. As SMEs need simple, flexible, efficient and cost-effective security solutions, ENISA produced a simplified RM/RA approach for SMEs. The simplified approach is a ‘one-size-fits-all’ solution created for non-expert users and for small organisations with relatively simple IT-components. This approach has now been validated in this report.

The pilot study had a threefold objective:

  1. Validate the content of the simplified approach,
  2. Evaluate the applicability of the proposed RM/RA approach, and
  3. Collect feedback and proposal for changes.

Three multiplier organizations from different business sectors were selected by ENISA to validate the pilot, as to reach out to as many SMEs/micro-enterprises as possible; GMV Soluciones Globales Internet (Spain), Outsourcer of Information Security Services, IAAITC (UK), Accounting association, and University of Bologna (Italy), public administration/education. Each multiplier brought in representative SMEs/micro-enterprises from their sector.
The following conclusions can be drawn from the pilot study:

  • The ENISA simplified RA/RM approach received a generally high level of appreciation from the ca 15 MEs and SMEs involved in the pilot.
  • The ENISA simplified RM/RA approach led to an increased level of awareness on the fundamental role of Information Security Risk Assessment and Management. Companies involved in the project were more motivated to improve their information security management approaches.
  • It is unlikely that both SMEs and micro-enterprises could use the RM/RA simplified approach without at least initial, external support.
  • Some simplifications/automated steps might be required to better target the audience of very small and micro enterprises.
  • The multipliers agreed on the need to introduce some customizations to the ENISA approach (e.g. sector-based and market-segment-based etc.).
  • ENISA’s strategy to involve multiplier organizations in the pilot was accepted by all participants. A further involvement of such partners is necessary.

The study will e.g., serve as a road-map for future ENISA activities in the area of SMEs.

The Agency commented:

"We all know that the SMEs constitute the basis of Europe’s economy. Therefore the validation of a simplified risk management approach for these companies is crucial. With this approach, the necessary steps and appropriate measures for increased security can be taken."

Material

Case studies: