smes: why information assurance is important richard henson worcester business school...
TRANSCRIPT
![Page 1: SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012](https://reader036.vdocuments.net/reader036/viewer/2022082818/56649ee75503460f94bf7657/html5/thumbnails/1.jpg)
SMEs: Why Information Assurance is Important
Richard Henson
Worcester Business School
November 2012
![Page 2: SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012](https://reader036.vdocuments.net/reader036/viewer/2022082818/56649ee75503460f94bf7657/html5/thumbnails/2.jpg)
Real and present danger?
UKcritical
infrastructurehacker
sme
XX
Internet…(600 million Gateways!)
X
sme
sme
sme
sme
![Page 3: SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012](https://reader036.vdocuments.net/reader036/viewer/2022082818/56649ee75503460f94bf7657/html5/thumbnails/3.jpg)
An Early Warning!
In April 2009, hackers accessed data concerning technical details of a US govt fighter jet via networks with supply chain partners http://www.nextgov.com/nextgov/
ng_20090421_4305.php
Conclusion: “…there needs to be a new-order requirement on companies doing business with the federal government.”
![Page 4: SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012](https://reader036.vdocuments.net/reader036/viewer/2022082818/56649ee75503460f94bf7657/html5/thumbnails/4.jpg)
US Action
Realised extent of supply chain security problem
Working with private sector e.g. McAfee (Omanoff)
![Page 5: SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012](https://reader036.vdocuments.net/reader036/viewer/2022082818/56649ee75503460f94bf7657/html5/thumbnails/5.jpg)
How can this affect my business?
Supply chain partnerships becoming more focused on information security
Government “risk appetite” has reduced offer for more SME involvement in govt
contracts may well have information security as a factor
Publicity resulting from a data breach even more damaging than ever!
![Page 6: SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012](https://reader036.vdocuments.net/reader036/viewer/2022082818/56649ee75503460f94bf7657/html5/thumbnails/6.jpg)
What can SMEs do?
Allocate an information security budget? more shiny black boxes? educate employees about dangers? how? get certified?
Spend less on IT and become more secure? is the cloud the answer?
![Page 7: SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012](https://reader036.vdocuments.net/reader036/viewer/2022082818/56649ee75503460f94bf7657/html5/thumbnails/7.jpg)
What is the ROI on data?
If… money spent on security can pay for itself, then a worthwhile investment
Needs to be seen in the context of… costs of a breach
av. figure (US, Symantec, 2010): $18800 frequency of a breach
av. every 5 years
![Page 8: SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012](https://reader036.vdocuments.net/reader036/viewer/2022082818/56649ee75503460f94bf7657/html5/thumbnails/8.jpg)
UK Government Advice
CESG provides guidance and advice: best advice appears to be based on “ISO27001
compliance” CPNI website:
guidelines include 20 named technical controls to minimize the chance of a data breach…
no guidance on physical or behavioural controls Is “compliance” with guidelines, standards, and
regulations enough?
![Page 9: SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012](https://reader036.vdocuments.net/reader036/viewer/2022082818/56649ee75503460f94bf7657/html5/thumbnails/9.jpg)
Will “compliance” stop this?
UKcritical
infrastructure
sme
hackerXX
Internet…(600 million Gateways!)
UKcritical
infrastructure
![Page 10: SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012](https://reader036.vdocuments.net/reader036/viewer/2022082818/56649ee75503460f94bf7657/html5/thumbnails/10.jpg)
Compliance and Certification
Not just playing with words!
compliance does not require evidence to back up claims that guidelines, etc. being followed
certification only achieved through providing evidence in a systematic way to prove that the guidelines etc. are being adhered to in a systematic way
![Page 11: SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012](https://reader036.vdocuments.net/reader036/viewer/2022082818/56649ee75503460f94bf7657/html5/thumbnails/11.jpg)
ISO27001 Certification and SMEs
SMEs not shy of certification. Many already have: ISO9001 – QMS ISO14001 – EMS ISO18001 – H&SMS
Logical next step to go for ISO27001?
![Page 12: SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012](https://reader036.vdocuments.net/reader036/viewer/2022082818/56649ee75503460f94bf7657/html5/thumbnails/12.jpg)
UK SME Priorities for 2012…
Omanoff (McAfee VP) quote used on a UK technology reporting website (v3.co.uk) http://www.v3.co.uk/v3-uk/news/2121005/mcafee-
offers-advice-securing-supply-chains
But (same website): survey for businesses: “main priority for the new year?” 98% reducing costs 1% make more use of social media & cloud 1% improve information security
![Page 13: SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012](https://reader036.vdocuments.net/reader036/viewer/2022082818/56649ee75503460f94bf7657/html5/thumbnails/13.jpg)
SMEs and Information Assurance
Few UK SMEs get ISO27001 certified too time consuming, too expensive… little ROI… “compliance is the English way”
UK gov. concerned (2012) but still showing little sign of: bringing in new laws… educating about information security so why should SMEs bother!?!?!
![Page 14: SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012](https://reader036.vdocuments.net/reader036/viewer/2022082818/56649ee75503460f94bf7657/html5/thumbnails/14.jpg)
A need to stop this…
UKcritical
infrastructure
sme
hackerXX
Internet…(600 million Gateways!)
globalmanufacturer
X
![Page 15: SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012](https://reader036.vdocuments.net/reader036/viewer/2022082818/56649ee75503460f94bf7657/html5/thumbnails/15.jpg)
* However… UK govt risk appetite lower: greater prospect of support
* And there’s a whole world out there to do business with!
![Page 16: SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012](https://reader036.vdocuments.net/reader036/viewer/2022082818/56649ee75503460f94bf7657/html5/thumbnails/16.jpg)
So not all doom and gloom!
Can SMEs be convinced that better information security reduces costs?
Whole academic field based on such matters: “Economics of Information Security” findings rarely get to SMEs… they should!!!
![Page 17: SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012](https://reader036.vdocuments.net/reader036/viewer/2022082818/56649ee75503460f94bf7657/html5/thumbnails/17.jpg)
IASME (Information Assurance for SMEs)
Project supported by Technology Strategy Board (2009-11)
A systematic approach to information security focused on SMEs
Objective: SME produces/maintains an ISMS Same principles as ISO9001 (QMS) NOT a “tick box” approach
http://iasme.co.uk
![Page 18: SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012](https://reader036.vdocuments.net/reader036/viewer/2022082818/56649ee75503460f94bf7657/html5/thumbnails/18.jpg)
Questions?