2. SMEs: Why Information Assurance is Important Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk November 2012

3. Real and present danger? UK critical infrastructure hacker sme X X Internet… (600 million Gateways!) X sme

4. An Early Warning! In April 2009, hackers accessed data concerning technical details of a US govt fighter jet via networks with supply chain partners http://www.nextgov.com/nextgov/ng_20090421_4305. php http://www.nextgov.com/nextgov/ng_20090421_4305. php Conclusion: “…there needs to be a new-order requirement on companies doing business with the federal government.”

5. US Action Realised extent of supply chain security problem Working with private sector e.g. McAfee (Omanoff)

6. How can this affect my business? Supply chain partnerships becoming more focused on information security Government “risk appetite” has reduced offer for more SME involvement in govt contracts may well have information security as a factor Publicity resulting from a data breach even more damaging than ever!

7. What can SMEs do? Allocate an information security budget? more shiny black boxes? educate employees about dangers? how? get certified? Spend less on IT and become more secure? is the cloud the answer?

8. What is the ROI on data? If… money spent on security can pay for itself, then a worthwhile investment Needs to be seen in the context of… costs of a breach av. figure (US, Symantec, 2010): $18800 frequency of a breach av. every 5 years

9. UK Government Advice CESG provides guidance and advice: best advice appears to be based on “ISO27001 compliance” CPNI website: guidelines include 20 named technical controls to minimize the chance of a data breach… no guidance on physical or behavioural controls Is “compliance” with guidelines, standards, and regulations enough?

10. Will “compliance” stop this? UK critical infrastructure sme hacker X X Internet… (600 million Gateways!) UK critical infrastructure

11. Compliance and Certification Not just playing with words! compliance does not require evidence to back up claims that guidelines, etc. being followed certification only achieved through providing evidence in a systematic way to prove that the guidelines etc. are being adhered to in a systematic way

12. ISO27001 Certification and SMEs SMEs not shy of certification. Many already have: ISO9001 – QMS ISO14001 – EMS ISO18001 – H&SMS Logical next step to go for ISO27001?

13. UK SME Priorities for 2012… Omanoff (McAfee VP) quote used on a UK technology reporting website (v3.co.uk) http://www.v3.co.uk/v3-uk/news/2121005/mcafee- offers-advice-securing-supply-chains http://www.v3.co.uk/v3-uk/news/2121005/mcafee- offers-advice-securing-supply-chains But (same website): survey for businesses: “main priority for the new year?” 98% reducing costs 1% make more use of social media & cloud 1% improve information security

14. SMEs and Information Assurance Few UK SMEs get ISO27001 certified too time consuming, too expensive… little ROI… “compliance is the English way” UK gov. concerned (2012) but still showing little sign of: bringing in new laws… educating about information security so why should SMEs bother!?!?!

15. A need to stop this… UK critical infrastructure sme hacker X X Internet… (600 million Gateways!) global manufacturer X

16. * However… UK govt risk appetite lower: greater prospect of support * And there’s a whole world out there to do business with!

17. So not all doom and gloom! Can SMEs be convinced that better information security reduces costs? Whole academic field based on such matters: “Economics of Information Security” findings rarely get to SMEs… they should!!!

18. IASME (Information Assurance for SMEs) Project supported by Technology Strategy Board (2009-11) A systematic approach to information security focused on SMEs Objective: SME produces/maintains an ISMS Same principles as ISO9001 (QMS) NOT a “tick box” approach http://iasme.co.uk

19. Questions?