SMEs: Why Information Assurance is Important

1. SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012

2. Real and present danger? sme sme X sme UK critical infrastructure hacker X X sme Internet… (600 million Gateways!) sme

3. An Early Warning! • In April 2009, hackers accessed data concerning technical details of a US govt fighter jet via networks with supply chain partners • http://www.nextgov.com/nextgov/ng_20090421_4305.php • Conclusion: “…there needs to be a new-order requirement on companies doing business with the federal government.”

4. US Action • Realised extent of supply chain security problem • Working with private sector • e.g. McAfee (Omanoff)

5. How can this affect my business? • Supply chain partnerships becoming more focused on information security • Government “risk appetite” has reduced • offer for more SME involvement in govt contracts may well have information security as a factor • Publicity resulting from a data breach even more damaging than ever!

6. What can SMEs do? • Allocate an information security budget? • more shiny black boxes? • educate employees about dangers? how? • get certified? • Spend less on IT and become more secure? • is the cloud the answer?

7. What is the ROI on data? • If… money spent on security can pay for itself, then a worthwhile investment • Needs to be seen in the context of… • costs of a breach • av. figure (US, Symantec, 2010): $18800 • frequency of a breach • av. every 5 years

8. UK Government Advice • CESG provides guidance and advice: • best advice appears to be based on “ISO27001 compliance” • CPNI website: • guidelines include 20 named technical controls to minimize the chance of a data breach… • no guidance on physical or behavioural controls • Is “compliance” with guidelines, standards, and regulations enough?

9. Will “compliance” stop this? sme UK critical infrastructure UK critical infrastructure hacker X X Internet… (600 million Gateways!)

10. Compliance and Certification • Not just playing with words! • compliance does not require evidence to back up claims that guidelines, etc. being followed • certification only achieved through providing evidence in a systematic way to prove that the guidelines etc. are being adhered to in a systematic way

11. ISO27001 Certification and SMEs • SMEs not shy of certification. Many already have: • ISO9001 – QMS • ISO14001 – EMS • ISO18001 – H&SMS • Logical next step to go for ISO27001?

12. UK SME Priorities for 2012… • Omanoff (McAfee VP) quote used on a UK technology reporting website (v3.co.uk) • http://www.v3.co.uk/v3-uk/news/2121005/mcafee-offers-advice-securing-supply-chains • But (same website): survey for businesses: “main priority for the new year?” • 98% reducing costs • 1% make more use of social media & cloud • 1% improve information security

13. SMEs and Information Assurance • Few UK SMEs get ISO27001 certified • too time consuming, too expensive… • little ROI… • “compliance is the English way” • UK gov. concerned (2012) but still showing little sign of: • bringing in new laws… • educating about information security • so why should SMEs bother!?!?!

14. A need to stop this… X sme UK critical infrastructure global manufacturer hacker X X Internet… (600 million Gateways!)

15. * However… UK govt risk appetite lower: greater prospect of support* And there’s a whole world out there to do business with!

16. So not all doom and gloom! • Can SMEs be convinced that better information security reduces costs? • Whole academic field based on such matters: “Economics of Information Security” • findings rarely get to SMEs… they should!!!

17. IASME (Information Assurance for SMEs) • Project supported by Technology Strategy Board (2009-11) • A systematic approach to information security focused on SMEs • Objective: SME produces/maintains an ISMS • Same principles as ISO9001 (QMS) • NOT a “tick box” approach http://iasme.co.uk

18. Questions?