Annette Hillebrand, Franz Büllingen, Olaf Dickoph, Carsten Klinge
Informations- und Telekommunikationssicherheit in kleinen und mittleren Unternehmen
Nr. 175 / Juni 1997
Security in companies becomes more and more a central problem in data processing and telecommunications. In every company the production process and the provision of services are based on functioning systems, the minimization of transmission errors, the assignment and demonstrability of communication processes and the confidential processing and transmission of data. There is every reason to believe that trustworthiness of the information and communication systems will serve as a basis for further diffusion and adoption of telematic services.
Although the potential of vulnerability increases with the use of open networks, studies in large companies have shown that security aspects do not come first for many of them. They do not even take sufficient security measures against well-known risks such as software-anomalies or unsecured network access. Nevertheless, it should be assumed that large companies are likely to be among the pioneers rather than of the latecomers in the field of information and telecommunications security because of their financial and personnel resources.
The results raise the question how Small and Medium-Sized Enterprises (SMEs) deal with the problem of security in data processing and telecommunications. In spring 1996 the research institute WIK asked the company ExperTeam/Online Hanse GmbH to conduct an empirical study on the state of information and telecommunication security in SMEs. The intention was to assess the risk situation and the security awareness of the enterprises against the background of growing risks by the increasing use of telecommunications services.
As the study shows the security situation of information and telecommunications in SMEs needs improvement. Despite the fact that the majority of companies consider protection aims like availability, liability, and confidance as indispensable, a detailed strategy or measure planning is hardly found. The interviews revealed that risk situations are often underestimated whereas their own knowledge in the field of telecommunications security is overestimated. The majority of the interviewed SMEs plan to improve their security by using technical solutions in the first place. Although the appointment of experts in the field of information security or the establishment of security committees can be an important contribution to the increase of security the implementation of organizational and personnel security measures seem to cause difficulties for many SMEs. Costs are not the main problem. The results of the study rather indicate that the reasons are to be found in a lack of professional qualification, information deficits and a lack of risk awareness.
The implementation of security measures in companies has to be seen as a communication intensive, iterative and continous process and not as a problem that can be faced with unique solutions. Only few companies take extensive precautions against damages on the basis of risk analysis. The implementation of security measures is organized as an incremental process: Security measures are often taken only against such risks that have already caused security problems before.
Security problems caused by the use of data networks such as manipulation, spying or theft of information can hardly be noticed without the implementation of security measures. Therefore, numerous SMEs underestimate the extent of potential as well as already existing security problems in their companies. On the one hand, there is often a lack of technical, personnel and organisational means to detect a damage. On the other hand, after the occurrence of a damage it is difficult to identify the real consequences.
According to the results of the study farsighted security measures are rather an exception. In first place risk awareness is determined by the use of mail, telephone, and data processing. The risk of bugging and manipulation is considered minor. In general it can be observed that many companies mainly tend to take measures improving the security in data processing only but ignore telecommunications security. However, the fact that with an increasing use of telecommunications applications there is an increased readiness to integrate security solutions into the company must be seen as a positive development.
Only German language version available.