smes: why information assurance is important richard henson worcester business school...
TRANSCRIPT
SMEs: Why Information Assurance is Important
Richard Henson
Worcester Business School
November 2012
Real and present danger?
UKcritical
infrastructurehacker
sme
XX
Internet…(600 million Gateways!)
X
sme
sme
sme
sme
An Early Warning!
In April 2009, hackers accessed data concerning technical details of a US govt fighter jet via networks with supply chain partners http://www.nextgov.com/nextgov/
ng_20090421_4305.php
Conclusion: “…there needs to be a new-order requirement on companies doing business with the federal government.”
US Action
Realised extent of supply chain security problem
Working with private sector e.g. McAfee (Omanoff)
How can this affect my business?
Supply chain partnerships becoming more focused on information security
Government “risk appetite” has reduced offer for more SME involvement in govt
contracts may well have information security as a factor
Publicity resulting from a data breach even more damaging than ever!
What can SMEs do?
Allocate an information security budget? more shiny black boxes? educate employees about dangers? how? get certified?
Spend less on IT and become more secure? is the cloud the answer?
What is the ROI on data?
If… money spent on security can pay for itself, then a worthwhile investment
Needs to be seen in the context of… costs of a breach
av. figure (US, Symantec, 2010): $18800 frequency of a breach
av. every 5 years
UK Government Advice
CESG provides guidance and advice: best advice appears to be based on “ISO27001
compliance” CPNI website:
guidelines include 20 named technical controls to minimize the chance of a data breach…
no guidance on physical or behavioural controls Is “compliance” with guidelines, standards, and
regulations enough?
Will “compliance” stop this?
UKcritical
infrastructure
sme
hackerXX
Internet…(600 million Gateways!)
UKcritical
infrastructure
Compliance and Certification
Not just playing with words!
compliance does not require evidence to back up claims that guidelines, etc. being followed
certification only achieved through providing evidence in a systematic way to prove that the guidelines etc. are being adhered to in a systematic way
ISO27001 Certification and SMEs
SMEs not shy of certification. Many already have: ISO9001 – QMS ISO14001 – EMS ISO18001 – H&SMS
Logical next step to go for ISO27001?
UK SME Priorities for 2012…
Omanoff (McAfee VP) quote used on a UK technology reporting website (v3.co.uk) http://www.v3.co.uk/v3-uk/news/2121005/mcafee-
offers-advice-securing-supply-chains
But (same website): survey for businesses: “main priority for the new year?” 98% reducing costs 1% make more use of social media & cloud 1% improve information security
SMEs and Information Assurance
Few UK SMEs get ISO27001 certified too time consuming, too expensive… little ROI… “compliance is the English way”
UK gov. concerned (2012) but still showing little sign of: bringing in new laws… educating about information security so why should SMEs bother!?!?!
A need to stop this…
UKcritical
infrastructure
sme
hackerXX
Internet…(600 million Gateways!)
globalmanufacturer
X
* However… UK govt risk appetite lower: greater prospect of support
* And there’s a whole world out there to do business with!
So not all doom and gloom!
Can SMEs be convinced that better information security reduces costs?
Whole academic field based on such matters: “Economics of Information Security” findings rarely get to SMEs… they should!!!
IASME (Information Assurance for SMEs)
Project supported by Technology Strategy Board (2009-11)
A systematic approach to information security focused on SMEs
Objective: SME produces/maintains an ISMS Same principles as ISO9001 (QMS) NOT a “tick box” approach
http://iasme.co.uk
Questions?