Visit www.iasme.co.uk or call 03300 882 752
SMEs and Cyber Security
Why bother?
Dr Daniel G. Dresner MInstISP
Visit www.iasme.co.uk or call 03300 882 752
Why should SMEs bother with cyber security?
• Why should you care?
• What can you do to care?
• How can you show you care?
• Where do you go from here…?
2
Visit www.iasme.co.uk or call 03300 882 752
Why should you care?
3
Visit www.iasme.co.uk or call 03300 882 752
The challenge…
4
Visit www.iasme.co.uk or call 03300 882 752
Why should you care?
Of kill chains and food chains…
5
Visit www.iasme.co.uk or call 03300 882 752
SMEs are the way to the big fish*
* or whales of course…
6
Visit www.iasme.co.uk or call 03300 882 752
The after shock
Source: University of Texas
7
Visit www.iasme.co.uk or call 03300 882 752
Why should SMEs bother?
• Customers do not generally ask for assurance
• SMEs don’t understand the threat
• SMEs don’t understand what to do
• Experts are very expensive
• SME’s don’t hear of other SMEs being breached
• Much more urgent things to worry about
8
Visit www.iasme.co.uk or call 03300 882 752
So what bothers you?
• Identity theft and resulting fraud
• Competitors knowing your plans
• Targeted attacks through multiple channels ‘APTs’
• Surface web…deep web…dark net
• Hacktivism
• Stolen blueprints
• Disrupted utilities
• Contaminated industrial processes
• Lost data in ‘the cloud’
• Surveillance and anonymity
• Destabilised financial markets
9
Visit www.iasme.co.uk or call 03300 882 752
What can you do to care?
10
Visit www.iasme.co.uk or call 03300 882 752
Low level
threats
Rudimentary Insider threats Sophisticated
Advanced persistent threat/ targeted attack
Your attack surface
What’s to do…?
11
Visit www.iasme.co.uk or call 03300 882 752
5 cyber essentials Starting with…
12
Visit www.iasme.co.uk or call 03300 882 752
Cyber essentials
• UK Government reviewed successful cyber attacks over last few years.
• A small number of technical measures would have meant most of these would not have been successful.
• Cyber Essentials scheme aims at getting all companies to implement these 5 most important controls.
• Mandated in UK Government contracts since October 2014.
13
Visit www.iasme.co.uk or call 03300 882 752
1
2 3
4
5
P a t c h m a n a g e m e n t
I t i s b r o k e n ,
s o d o f i x i t
M a l w a r e p r o t e c t i o n
N o e x c u s e s !
Va c c i n a t e !
A c c e s s c o n t r o l
L e a s t p r i v i l e g e
S e c u r e c o n f i g u r a t i o n
O u t o f t h e b o x … i n t o t h e f i r e
B o u n d a r y w a l l s a n d I n t e r n e t g a t e w a y s
K e e p o u t t h e c a s u a l w a n d e r e r s
W h e n y o u ’ v e s e t u p t h e
Cyber Essentials … y o u ’ l l b e r e a d y t o a s s e s s
t h e r i s k …
Visit www.iasme.co.uk or call 03300 882 752
Anything else? Watch this space...
Visit www.iasme.co.uk or call 03300 882 752
How can you show you care?
16
Visit www.iasme.co.uk or call 03300 882 752
Talk to IASME… How can you show you care?
17
Visit www.iasme.co.uk or call 03300 882 752
It’s all about IASME • MoD recognise the IASME governance
certificate
• Biggest market share of basic level CE certifications
• IASME only AB on the original panel which defined Cyber Essentials
• IASME…designed for SMEs but also certifies the largest companies too BAE, KPMG, HoneyWell, FireEye etc.
• ~90 basic certifications/month (rising)
• Rolling out CE and IASME overseas.
– Training up local IT / security companies to be Certification Bodies and conduct the assessments
– Raise level of basic cyber security abroad
– Happy to discuss with any country
• Why IASME over other Accreditation Bodies?
– IASME help clients…no just ‘pass/ fail pay again’
– IASME assessment questions are free (others charge first)
– IASME CBs can help clients achieve it (others run a separate scheme to charge consultants)
– IASME is the lowest cost on the market – £300 including cyber insurance
– Some CBs charge £2,000
– IASME charges one price including optional Governance (recognised by MoD and others)
Choice of certification body:
APMG 2 QG 7 CREST 35 IASME 49
18
Visit www.iasme.co.uk or call 03300 882 752
The scale of trust…
Self assessment Independent, third-party assessment
But it’s about doing good stuff – not the badge…
19
Visit www.iasme.co.uk or call 03300 882 752
Micro,255
Small,214
Medium,116
Large,90
SizeofcompaniescertifiedtoCyberEssentials
by IASME CBs
Note: ISO/IEC 27001 ≠ Cyber Essentials
20
Visit www.iasme.co.uk or call 03300 882 752
Where do you go from here…?
21
Visit www.iasme.co.uk or call 03300 882 752
Low level
threats
Rudimentary Insider threats Sophisticated
Advanced persistent threat/ targeted attack
Your attack surface
What’s to do…?
22
Visit www.iasme.co.uk or call 03300 882 752
IASME Information Assurance for SMEs
Identify Protect Detect and Deter Respond and Recover
23
Visit www.iasme.co.uk or call 03300 882 752
Low level
threats
Rudimentary Insider threats Sophisticated
Advanced persistent threat/ targeted attack
Your attack surface
What’s to do…?
24
Visit www.iasme.co.uk or call 03300 882 752
Cyber essentials and IASME
EU agencies and companies enable security in your supply chains for £300 per participant with
25
Visit www.iasme.co.uk or call 03300 882 752
ISO/IEC 27001
An international standard for information security
26
Visit www.iasme.co.uk or call 03300 882 752
ISO/IEC 27001:2013
27
Visit www.iasme.co.uk or call 03300 882 752
So…what will you do?
28
Visit www.iasme.co.uk or call 03300 882 752
Cyber security essentials
ISO/IEC 27001 IASME SOGP
Live ‘self-preservation’
response
Low level
threats
Rudimentary Insider threats Sophisticated
Advanced persistent threat/ targeted attack
Attack surface
Defence formation
Retaliation formation
29
Visit www.iasme.co.uk or call 03300 882 752
Cyber essentials and IASME
EU agencies and companies enable security in your supply chains for £300 per participant with