Executive summary of the Study on information security and business continuity of Spanish enterprises

INSTITUTO NACIONAL DE TECNOLOGAS DE LA COMUNICACION

Objectives and methodology

RESEARCH PROJECT ON INFORMATION SECURITY AND BUSINESS CONTINUITY IN SPANISH ENTERPRISES

Study objectives
Establish a diagnostic of how preparation on information security and business continuity by small and medium Spanish enterprises is perceived in 2012, in terms of: Protection and prevention against risks. Incidents, consequences and responses. E-trust Recommendations and good practices

Study methodology

Document analysis of national and international studies. Survey: 2,250 interviews with IT security managers of enterprises. In-depth interviews with 10 IT security managers of enterprises. Think tank: group of 9 experts and professionals belonging to different fields of security and business continuity.

Technical details of the survey

Survey on information security and e-trust
Participants Small and Medium Enterprises registered within the national soil (CNAE 2009). Sampling 1,144 IT security managers of enterprises distributed through national soil. Sampling distribution Over a total of 1,144 enterprises: 440 microenterprises, 395 small enterprises and 309 medium enterprises. Collection of information CATI (Computer Assisted Telephone Interviewing). Field research December 2011 and January 2012. Sampling error 2.9%, calculated for a 95.5% level of trust and being p=q=0.5.

Survey on business continuity

Participants Small and Medium Enterprises registered within the national soil (CNAE 2009). Sampling 1,109 IT security managers of enterprises distributed through national soil. Sampling distribution Over a total amount of 1,109 enterprises: 501 microenterprises, 343 small enterprises and 265 medium enterprises. Collection of information CATI (Computer Assisted Telephone Interviewing). Field research January and February 2012. Sampling error 2.9%, calculated for a 95.5% level of trust and being p=q=0.5.

Study on information security and business continuity of Spanish enterprises

Technical tools and security personnel Best security practices Security plans and policies Security incidents in a enterprise: incident. impact and response E-trust in Spanish enterprises Security profiles and business continuity in an enterprise Final observations Recommendations

http://observatorio.inteco.es
4

Main results
Tools, best practices and security policies in the enterprises Remarkable level of basic security measures and habits implementation in Small and Medium Spanish Enterprises: Antivirus and firewalls are the most common tools (96.1% and 75.4%, respectively). 56% of enterprises have personnel dedicated to information security (21% through internal personal and 35.3% through outsourcing). It is noticeable that security backups or updates of operating and programming systems are protection habits which are increasingly used (88.2% and 81.9% respectively). Information security has developed in a positive way during the last year, according to the enterprises that take part in the research. Enterprises consider they perform security audits and hold certificates of Information Security Management System (ISMS) to a greater extent than what official data states. 4 out of 10 enterprises know what Business Continuity Plans are. 12.9% claim to have a BCP and 5.3% have a plan for the technological component. 31.9% of the enterprises having a Business Continuity Plan provide mechanisms in order to verify its efficiency, periodic tests being the most common one (42.3%).

Main results
Incidents affecting information security and business continuity 26.1% of the small and medium enterprises perceived that have an incident of this kind in 2011. Malware infection (14.7%) and spam (11.9%) are the most recurrent cases. Most common mobile security incidents in enterprises are linked to terminal theft or loss (7.1% and 7.2%, respectively). During last year, 1 out of 3 enterprises have experienced circumstances or incidents affecting their business operations continuity in some way. Most common events are failure of support systems (15.2%), meltdown of computer systems and applications (11.3%) and lack of service or supply from providers (11.2%). Impact and response against incidents Most common consequences after an incident are loss of time and productivity and disruption in operations. After an incident occurs, 38.5% of enterprises adopt a proactive attitude implementing security tools and measures. Actions at the organisational or strategic level constitute a minority of cases. In almost half of the cases, those in charge of solving the incident are internal technical personnel. Nonetheless the proportion claiming to depend on external services is noticeable (40.9%).
6

Main results
E-trust Electronic banking and online payment methods (69.8%), business website (55.5%) and e-Administration (51.9%) are the most spread ICT services in small and medium Spanish enterprises. Social networks are increasingly important as a communication channel. Facebook is the most prevalent one (88.7%), followed by Twitter (29.6%) High level of trust in most of the services, notably in e-Administration (87.0%), the use of electronic banking and online payment methods (86.1%). Social networks are the service that gives the least trust to enterprises. Lack of necessity and lack of interest are the most common reasons for not implementing new services.

Security measures in enterprises

Use of ICTs Desktops are business imperatives and are present in 92.3% of enterprises. Wireless and mobiletechnologies are increasingly important in enterprises.
Use of ICTs in small and medium Spanish enterprises

Desktops

92.3%

Wireless networks (Wifi)

66.2%

Local area network (LAN)

59.8%

Laptops

47.2%

Remote access

41.3%

Mobile devices (PDA, Smartphone, Tablet) 0% 10% 20%

27.1%

30%

40%

50%

60%

70%

80%

90%

100%

Base: enterprises taking part in the security survey (n=1,144)

8

Security measures in enterprises

Equipment security measures Generalized use of package solutions : antivirus, firewalls and antispam. Lower penetration of tools requiring the user to participate.

Declared level of implementation of security solutions in enterprises

Antivirus/Antispyware Firewall Antispam Blocking pop-up windows Temporary files and cookies removal Anti-intrusion systems Browser plug-ins Data encryption 0% 20% 34.1% 40% 60% 80% 52.9% 51.4% 75.4% 75.3% 71.5% 67.4%

96.1%

100%

Base: enterprises taking part in the security survey (n=1,144)

9

Security measures in enterprises

Restrictions on security measures implementation Lack of awareness and lack of risk perception are the main reasons for not applying security measures.
Reasons for not applying security measures % enterprises not using them 3.9 24.6 24.7 48.6 28.5 47.1 65.9 32.6 Do not know them 2.3 35.6 28.0 37.0 33.3 38.0 35.1 29.1 Do not need them 39.6 27.2 38.8 28.4 29.7 26.0 35.2 32.5

Solutions

Price 0.4 3.2 0.1 0.5 0.0 1.4 0.4 0.7

Ineffective ness 5.1 0.8 0.8 0.5 0.9 0.4 0.5 1.1

They slow down business 17.4 2.8 3.8 2.0 2.9 2.1 1.6 3.1

Other 14.9 0.2 0.2 0.4 0.2 0.2 0.8 1.5

No reply 20.3 30.2 28.3 31.2 33.0 31.9 26.4 32.0

Antivirus / Antispy Firewalls Antispam Plugins Blocking pop-up windows Anti-intrusion systems Data encryption Temporary files and cookies removal

Base: enterprises not using security tools and solutions

10

Security measures in enterprises

Security measures in enterprise mobile devices Access via pin code and unlocking passwords are the most common measures used in the protection of mobile devices.
Adoption of security measures in mobile devices

Access via PIN code (password) Unlocking password Backup of sensitive data Hidden and password protected Bluetooth Automatic software updates Antivirus program Strength of password Formatting after a certain number of attempts to introduce password Program or application installations blocked Remote deletion of data in case of loss/theft Data and/or communications encryption 0% 7.3% 20% 40% 31.7% 30.9% 28.8% 21.8% 20.7% 19.4% 15.5% 13.5% 46.1%

57.8%

60%

Base: enterprises using mobile devices (n=459)

11

Security measures in enterprises

Protection of enterprise wifi network WPA/WPA2 and WEP standards are used to the same extent. It is necessary to broaden the implementation of WPA/WPA2 standards.
Declared protection in wireless networks (wifi)

Protected (WPA, WPA2 protocol)

27.4%

Protected (WEP protocol)

27.4%

Protected by unkown system

21.1%

No protection

12.4%

Unknown/No reply

11.7%

0%

10%

20%

30%

40%

50%

Base: enterprises using wireless network (n=129)

12

Security measures in enterprises

Security Human Resources 56.3% of enterprises have personnel dedicated to ensure information security. 4.0% have internal professional dedicated exclusively to security.

Personnel dedicated to information security

0.6% 4.0% 17.0% 56.3% 35.3%

43.1%

Personnel exclusively dedicated to security available In-house IT personnel available Personnel available through an external company Not considered Unknown/No reply

Base: enterprises taking part in the security survey (n=1,144)

13

Security measures in enterprises

Management s strategy and commitment with security Most enterprises board of directors value (giving great or fair importance) ICT protection.
Level of importance that Management gives to information security

4.3% 3.1% 3.1%

35.0% 17.2%

37.3%

Very high importance Low importance

High importance Zero importance

Neutral/Medium Unknown/No reply

Base: enterprises taking part in the security survey (n=1,144)

14

Best security practices in enterprises

Best practices that complement the security The implementation of security practices with regards to carrying out security backups and updating programs is quite noticeable. Prudent habits towards employees are a minority.
Applying best practices in enterprises

Regular backups made

88.2%

Program updates Control and access to equipment and documents Employee program installation constraints Employee internet access constraints 0% 50.1%

81.9%

69.1%

21.3%

20%

40%

60%

80%

100%

Base: enterprises taking part in the security survey (n=1,144)

15

Best security practices in enterprises

Employee training of security risks Just over a quarter of enterprises claim they develop specific training of security risks. According to experts, this figure is lower and the organisation s promotion of training initiatives needs to be improved.
Training in security risks given to employees in enterprises

2.2%

27.3%

70.5%

Yes

No

Unknown/No reply

Base: enterprises taking part in the security survey (n=1,144)

16

Security Plans and Policies

Knowledge on Business Continuity Plan (BCP) There is a high level of unawareness about the concept of Business Continuity Plan. Some enterprises are more familiarized with this concept, especially enterprises providing business services and new information technology services.
Level of knowledge in enterprises on Business Continuity Plans

13.3%

60.6%

39.4% 26.1%

Yes, I am well informed

Yes, but I do not know it in depth

No

Base: total number of enterprises answering the business continuity survey (CN) (n=1,109)
17

Security Plans and Policies

Business Continuity Strategies
Forecasting of business continuity strategies for business crisis situations Main reason why a strategy or procedure for crisis situations or disasters has not been planned

Very small probability of crisis Do not have staff/time

15.3% Yes, it is elaborated and implemented Yes, but only regarding technology 15.5% No, but it is planned No, but it is planned 11.0% Unknown/No reply

41.2% 19.3% 11.4% 10.0% 2.4% 1.4% 0.7% 1.7% 11.9% 0% 10% 20% 30% 40% 50%

6.5%

Prohibitive cost Have other security priorities Do not think about it Lack of knowledge When necessary they resolve it by themselves Other Unknown/No reply

51.7%

Base: total number of enterprises answering the business continuity survey (n=1,109)

Base: enterprises lacking BC strategy (n=416)

18

Security Plans and Policies

Maximum Tolerable Downtime A considerable proportion of enterprises have claimed that the Maximum Tolerable Downtime (MTD) they could manage without having a serious/critical impact on the business is one day. Same results in 2010 and 2012.
MTD Evolution in small and medium Spanish enterprises

2010

35.8%

11.7%

22.6%

12.5%

17.5%

2012

35.1%

7.8%

21.9%

11.7%

9.8%

6.8% 6.9%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Less than 6 hours Less than 5 days

Less than 12 hours More than 5 days

Less than 24 hours Unknown/No reply

Less than 48 hours

Base: total of enterprises 2012 (n=1,109); total enterprises and success cases 2010 (n=429)
19

Security Plans and Policies

Adoption of BCP in enterprises
Adoption of BCP Elements identified in BCP

Risk assessment
14.4% 2.4% Yes, we have a complete BCP 5.2% 5.3% 59.8% 12.9% Yes, but it only covers the technological aspects No, it is necessary but its implementation is not planned No, but its implementation is planned Unknown/No reply No, it is not necessary

56.0% 45.2% 41.2% 36.6% 33.6% 32.2% 31.9% 4.4% 17.6% 0% 10% 20% 30% 40% 50% 60% 70%

Allocation of responsibilities Activation of the plan for the restoration of business activities Identification and prioritisation of critical processes Defining recovery period Communication plan strategies Continuity plan tests Other Unknown/No reply

Base: enterprises taking part in the security survey (n=1,144)

Base: enterprises having a BCP (n=337)

20

Security incidents in enterprises

Impact of security risks Enterprises which have personnel dedicated to information security are the ones detecting incidents to a greater extent.
Awareness of security incidents vs. security personnel available at the enterprise
100% 90% 80% 70% 60% 53.6% 70.4% 78.5% 73.1%

Security incidents in enterprises during last year

26.1%

50% 40%

73.9%

30% 20% 10% 0% Personnel exclusively dedicated to security available In-house IT personnel available Personnel available through an external company Not considered 46.4% 29.6% 21.5% 26.9%

Yes

No

They have experienced incidents

They have not experienced incidents

Base: enterprises taking part in the security survey (n=1,144)

Base: enterprises taking part in the security survey (n=1,144)

21

Security incidents in enterprises

Information security incidents Malware and spam are the most frequent security incidents.
Typology of security incidents occurred to enterprises during last year

Malware (virus, troyans, etc.) Bulk mail advertising (spam) Technical failure Equipment/program physical damage Identity theft Loss/theft of devices Unauthorized external access Online fraud/phishing Distributed denial of service (DDoS) act Data leakage due to error / intention (internal staff) Sabotage (internal act) None of the following 0%

14.7% 11.9% 4.3% 2.2% 1.1% 0.9% 0.9% 0.8% 0.6% 0.4% 0.3% 73.9% 20% 40% 60% 80% 100%

Base: enterprises taking part in the security survey (n=1,144)

22

Security incidents in enterprises

Mobile security incidents Most enterprises do not detect or are unaware of having suffered security incidents in mobile devices. Theft and loss of terminals are the most remarkable incidents.
Mobile security incidents Typology of mobile security incidents in enterprises

Terminal device theft

7.2% 7.1% 1.3% 0.9% 0.8% 0.0% 0.0% 77.0% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100

8.6% 14.4% Yes No Unknown/No reply 77.0%

Terminal device loss Data theft (via bluetooth, Wi-Fi, etc.) Fraud causing economic damage Wear or tear Intrusion by third parties (via bluetooth, Wi-Fi, etc.) Malware (virus, troyans, spiess, etc.) No incidents occured

Base: total number of enterprises using mobile devices (n=459)

23

Security incidents in enterprises

Business continuity incidents Since 2010 security incidents in enterprises having an impact on activities or process continuity have decreased.

Business continuity incidents evolution

8.1% 35.2% 33.6%

56.7%

66.4%

2010 (last 3 months) Yes No

2012 (last year) Unknown/No reply

Base: year 2012 (n=1,109) Base: year 2010 (429)

24

Security incidents in enterprises

Business Continuity (BC) incidents Meltdown/breakdown of support systems is the main reason process continuity has been at risk.
Typology of Business Continuity incidents occurred to enterprises during last year
Meltdown/breakdown of support system Meltdown of system/computer applications Lack of service/supply from providers Computer attacks Physical damage of equipment Flood/fire/natural disaster Loss of key data Strike/epidemic/sick leave of key personnel Fines/sancitons due to legal non-compliance No incident 0% 10% 20% 30% 40% 50% 60% 15.2% 11.3% 11.2% 6.3% 5.8% 3.9% 2.7% 1.3% 1.1% 66.4% 70% 80%

Base: total number of enterprises answering the business continuity survey (n=1,109)
25

Impact and consequences of incidents

Consequences of security incidents Technical failure is the security incident which has generated, to the greater extent, consequences.
Consequences of main security incidents

Technical failures

89.2%

10.8%

Malware

68.3%

31.7%

Bulk mail advertising

53.2%

46.8%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Yes, it had consequences

No consequences

Base: enterprises having suffered an incident (malware n=199; bulk mailing n=157; meltdown of systems=90)

26

Impact and consequences of incidents

Typology of consequences created by security incidents In general, waste of time, disruption of activity or technical consequences are the main negative effects caused by security incidents.
Consequences caused by the main security incidents

Security Incidents Waste of time / productivity Business downtime Technical consequences Repair / replacement costs Image / reputation damage File deletions Hardware / software damage Fines / sanctions due to legal non-compliance Economic damage (fraud) Leaking of confidential / sensitive information Cancellation of contracts with clients No consequences Unknown / No reply

Technical failures 66,9 25,8 17,2 7,6 5,9 0,6 0,5 0,5 0,5 0,5 0,5 15,5 1,1

Malware 41,1 5,3 10,5 19,3 0,0 6,3 4,6 42,4 4,2

Spam 6,1 37,7 0,5 3,5 0,2 8,5 0,4 50,1 0,3

27

Impact and consequences of incidents

Typology of consequences created by BC incidents Operational impacts are the most remarkable, regardless of which incident occured.

Consequences caused by business continuity incidents

Incidents affecting business continuity Collapse of Support System Physical damage of system/ failure / equipment computer breakdown applicat. 81.8 21.3 6.2 7.2 4 0.1 7.5 0.9 73.4 21.1 4.4 3.4 0.1 10.6 0.6 70.2 46.3 4.9 0.4 10 0.1

Consequences

Lack of service/supply from provider 83.9 14.6 2 0.1 0.4 0.3 9.8 2.3

Computer attacks 52.7 10.4 2.1 0.4 4.3 36.7 -

Delays/hours lost/impact on productivity Economic (direct cost) Impact on business image (reputation impact) Loss of clients with which a firm contract was established (contractual impact) Sanctions/fines (legal impact) Other consequences No impact Unknown/No reply

Base: enterprises which suffered BC incidents

28

Response against incidents

Response actions 54.4% do not adopt any response against 38.5% which adopt a proactive attitude when facing an incident and its possible implications. enterprises choose quick and cheap measures and not resolutions which involve actions at organisational or strategic levels.
Response to security incidents

I have installed/updated security tools I have implemented new security measures Security training has been carried out for employees Business continuity measures have been implemented An Information Security Management System (ISMS) has been implemented (ISO 27001) My company has stopped using certain internet services Internal staff/external security service has been hired Unknown/No reply We keep proceeding as usual 0% 10% 2.2% 2.1% 0.9% 0.6% 0.1% 7.1%

19.7% 12.9%

54.4% 20% 30% 40% 50% 60%

Base: enterprises which suffered security incidents (n=360)

29

Response against incidents

Resolving incidents In house personnel are the main agents in charge of resolving security incidents. In second position we find external technical professional services.
Form adopted for resolving incidents

Company's personnel

48.5%

External technical support service Company's personnel with external professional counselling A friend/acquaintance with computer skills 1.9% 2.6%

33.5%

7.4%

Other

I have not resolved the incident

5.3%

Unknown/No reply

0.7% 0% 10% 20% 30% 40% 50%

Base: enterprises which suffered security incidents (n=360)

30

E-trust in Spanish enterprises

Use of information society services Electronic banking and online payment methods, business websites and e-Administration are the most common services used by enterprises.
Use of electronic services via the internet indicated by enterprises
Electronic banking/online payment methods Business website Formalities with the public administration (eAdministration) Electronic purchasing Electronic signature (Certificate, ID, etc.) Profile on social networks Electronic invoicing Electronic procurement Electronic sales 0% 26.8% 20.3% 17.7% 14.5% 20% 40% 60% 80% 55.5% 51.9% 44.6% 40.1% 69.8%

Base: enterprises taking part in the security survey (n=1,144)

31

E-trust in Spanish enterprises

Enterprises and social networks Social networks are increasingly important as an entreprise communication channel. Strong predominance on Facebook as a corporate channel.
Enterprise presence on different social networks

Facebook

88.7%

Twitter

29.6%

Google+

10.3%

Linkendin

10.1%

Youtube

9.8%

Scribd

0.1%

Others 0%

5.3% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Base: Total amount of enterprises with a profile on social networks (n=344)

32

E-trust in Spanish enterprises

Confidence in Internet services Once again, e-Administration, e-banking and electronic payment methods are the most trusted services among enterprises and also the most spread ones. Social networks come in at the bottom of the list.
Enterprises level of trust in the various internet services
e-Administration Electronic banking/online payment methods Electronic signature Electronic invoicing Electronic procurement Business website Electronic purchasing Electronic sales Profile on social networks 0% Quite Sufficient 87.0% 86.1% 83.9% 83.9% 75.3% 71.3% 71.3% 55.6% 45.9% 20% Low 40% 21.7% 35.9% 60% 10.0% 3.0% 11.9% 2.0% 14.9% 1.2% 15.9% 0.2% 18.4% 6.3% 17.9% 3.0% 6,0% 21.5% 7.2%

22.7% 18,2% 80% 100%

Unknown/No reply

Base: enterprises taking part in the security survey (n=1,144)

33

E-trust in Spanish enterprises

Reasons for not using ICT services Lack of necessity and lack of interest are the main barriers, notably regarding social networks (88.6%), online selling (87.0%) and e-recruitment (85.8%). Lack of security is the reason given by a minority.
Reasons why enterprises do not use ICT services
Grounds Services % business not using them Not need/Not interested in 87.0 85.8 77.7 88.6 82.4 82.4 74.2 86.3 68.0 Do not know how to use them 3.4 6.0 6.2 4.6 9.3 3.5 6.3 4.4 7.0 Find them inconvenient 5.9 6.0 15.3 3.5 6.4 6.4 16.7 1.6 12.5 Unknown/No reply 6.6 -

Do not think is safe

Electronic sales Electronic procurement Electronic invoicing Profile on social networks Electronic signature (certificate, electronic ID, etc.) Electronic purchasing Formalities with the public administration (e-Administration) Business website Electronic banking/online payment methods

84.9% 78.0% 77.7% 71.4% 56.9% 54.7% 44.2% 44.3% 28.4%

3.7 2.2 0.8 3.3 1.9 7.7 2.8 1.1 12.5

Base: enterprises taking part in the security survey (n=1,144)

34

Enterprise profiles according to security/continuity

Security and e-trust
Protected Cautious Negligent Careless
Enterprises distribution according to their security and etrust profiles

Business continuity
Prepared Unprepared Indifferent Reckless
Enterprises distribution according to their business continuity profiles

9.1%

21.1%

22.5%

24.4%

Group 1: protected Group 2: cautious Group 3: negligent Group 4: careless

44.7%

Group 1: prepared Group 2: unprepared Group 3: indifferent Group 4: reckless 23.7%

29.1%

25.4%

Base: enterprises taking part in the security survey (n=1,144)

Base: total number of enterprises answering the CN survey (n=1,109)

35

Enterprise profiles according to security and e-trust

Carefree
Mainly micro-enterprises from retail and hospitality sectors. They show little concern for security. They report few occurences of risk exposure. They use very little Internet services and have a medium level of trust.

Cautious
Mainly micro-enterprises from all sectors. They show a big concern for security but they do not always have the best technical resources available. They report few occurences of risk exposure. They rarely use Internet services and have a medium/high level of trust.

Protective
Mainly medium enterprises from industry and business services sectors. They show a high concern for information security. They have technical and human means in order to ensure it. Few occurences of risk exposure. They have a high of trust in the internet.

Careless
Mainly micro-enterprises from retail. hospitality and other sectors. They show very little concern for security. They report many occurrences of risk exposure. They use ITC extensively and have a medium /high level of trust.
Caution

36

Enterprise profiles according to security and e-trust

Unprepared
Mainly small enterprises and microenterprises from retail and hospitality sectors. They consider themselves fairly prepared to tackle a crisis. They report a high number of incidents. They do not identify critical business activities. They have a strategy for crisis situations.

Indifferent
Mainly micro-enterprises from industry, retail and hospitality sectors. They consider themselves as not being prepared to tackle a crisis situation. They report few occurences of incidents. They do not identify critical business activities. They do not have a strategy to tackle crisis situations.

Prepared
Mainly small and medium enterprises from services sector. They consider themselves prepared to tackle a crisis. They report few occurences of risk exposure. They have critical business activities identified. They have a strategy for crisis situations.

Reckless
Mainly micro-enterprise industries. They consider themselves not well prepared to tackle crisis situations. They report many occurrences of risk exposure. They do not identify critical business activities. The do not have a strategy to tackle crisis situations.

37

Final observations
SWOT analysis
STRENGTHS WEAKNESSES

Good technological capacity. Remarkable level of preventive security measures implementation. Appreciation of recovery period. Positive response towards initiatives.

False sense of security. Shortcomings in the security culture of enterprises. A small size is a determining factor (negative) of the protection level. Low margin over business tolerable downtime. Security approach excessively focused on the technological aspect.
THREATS

OPPORTUNITIES

Joint approach of different players in order to obtain a better position with regards to enterprises. Large portfolio of security services and business continuity services. Outsourcing of IT tasks and information security.

Slow progress in security. Worsening of the attack consequences. New technology challenges and new security risks.

38

Recommendations
Recommendations for enterprises Consciousnessraising Implementation

Progress in raising awareness in enterprises about information security risks. Promoting the use of best practices among members of the organisation. Adopting business continuity strategies to ensure organisation endurance against a crisis or disaster.

Turn to external professionals in order to resolve the lack of internal resources without neglecting security. Correct use of security tools and measures. Establish security criteria in relationships with providers. Keep at breast with new security risks and protection measures.

39

Recommendations
Recommendations for the security industry and administration
Adapt security solutions and product offers to the context of small and medium Spanish enterprises. Deploy measures which help complement the security of the enterprise, starting with raising awareness and training. Promote professionalisation of security solution vendors. Closely collaborate with Public Administration.

Industry Administration

Advise enterpreneurs to include information security competences. Deploy actions to create awareness based on the benefits of using ICT services and of proactive security. Promote development of business strategies based on standards. Deploy information and training initiatives for enterprise personnel. Study the status of information security and business continuity among Spanish enterprises. Carry out specific actions for IT service enterprises.

40

Follow us on:

Web

http://observatorio.inteco.es Facebook Profile http://www.facebook.com/ObservaINTECO Twitter Profile http://www.twitter.com/ObservaINTECO Scribd Profile http://www.scribd.com/ObservaINTECO Youtube Profile http://www.youtube.com/ObservaINTECO Blog of the Information Security Observatory http://www.inteco.es/BlogSeguridad

Send us your questions and feedback to:

observatorio@inteco.es

http://www.inteco.es http://observatorio.inteco.es