Visit www.iasme.co.uk or call 03300 882 752

SMEs and Cyber Security

Why bother?

Dr Daniel G. Dresner MInstISP

daniel.dresner@iasme.co.uk

Visit www.iasme.co.uk or call 03300 882 752

Why should SMEs bother with cyber security?

• Why should you care?

• What can you do to care?

• How can you show you care?

• Where do you go from here…?

2

Visit www.iasme.co.uk or call 03300 882 752

Why should you care?

3

Visit www.iasme.co.uk or call 03300 882 752

The challenge…

4

Visit www.iasme.co.uk or call 03300 882 752

Why should you care?

Of kill chains and food chains…

5

Visit www.iasme.co.uk or call 03300 882 752

SMEs are the way to the big fish*

* or whales of course…

6

Visit www.iasme.co.uk or call 03300 882 752

The after shock

Source: University of Texas

7

Visit www.iasme.co.uk or call 03300 882 752

Why should SMEs bother?

• Customers do not generally ask for assurance

• SMEs don’t understand the threat

• SMEs don’t understand what to do

• Experts are very expensive

• SME’s don’t hear of other SMEs being breached

• Much more urgent things to worry about

8

Visit www.iasme.co.uk or call 03300 882 752

So what bothers you?

• Identity theft and resulting fraud

• Competitors knowing your plans

• Targeted attacks through multiple channels ‘APTs’

• Surface web…deep web…dark net

• Hacktivism

• Stolen blueprints

• Disrupted utilities

• Contaminated industrial processes

• Lost data in ‘the cloud’

• Surveillance and anonymity

• Destabilised financial markets

9

Visit www.iasme.co.uk or call 03300 882 752

What can you do to care?

10

Visit www.iasme.co.uk or call 03300 882 752

Low level

threats

Rudimentary Insider threats Sophisticated

Advanced persistent threat/ targeted attack

Your attack surface

What’s to do…?

11

Visit www.iasme.co.uk or call 03300 882 752

5 cyber essentials Starting with…

12

Visit www.iasme.co.uk or call 03300 882 752

Cyber essentials

• UK Government reviewed successful cyber attacks over last few years.

• A small number of technical measures would have meant most of these would not have been successful.

• Cyber Essentials scheme aims at getting all companies to implement these 5 most important controls.

• Mandated in UK Government contracts since October 2014.

13

Visit www.iasme.co.uk or call 03300 882 752

1

2 3

4

5

P a t c h m a n a g e m e n t

I t i s b r o k e n ,

s o d o f i x i t

M a l w a r e p r o t e c t i o n

N o e x c u s e s !

Va c c i n a t e !

A c c e s s c o n t r o l

L e a s t p r i v i l e g e

S e c u r e c o n f i g u r a t i o n

O u t o f t h e b o x … i n t o t h e f i r e

B o u n d a r y w a l l s a n d I n t e r n e t g a t e w a y s

K e e p o u t t h e c a s u a l w a n d e r e r s

W h e n y o u ’ v e s e t u p t h e

Cyber Essentials … y o u ’ l l b e r e a d y t o a s s e s s

t h e r i s k …

Visit www.iasme.co.uk or call 03300 882 752

Anything else? Watch this space...

Visit www.iasme.co.uk or call 03300 882 752

How can you show you care?

16

Visit www.iasme.co.uk or call 03300 882 752

Talk to IASME… How can you show you care?

17

Visit www.iasme.co.uk or call 03300 882 752

It’s all about IASME • MoD recognise the IASME governance

certificate

• Biggest market share of basic level CE certifications

• IASME only AB on the original panel which defined Cyber Essentials

• IASME…designed for SMEs but also certifies the largest companies too BAE, KPMG, HoneyWell, FireEye etc.

• ~90 basic certifications/month (rising)

• Rolling out CE and IASME overseas.

– Training up local IT / security companies to be Certification Bodies and conduct the assessments

– Raise level of basic cyber security abroad

– Happy to discuss with any country

• Why IASME over other Accreditation Bodies?

– IASME help clients…no just ‘pass/ fail pay again’

– IASME assessment questions are free (others charge first)

– IASME CBs can help clients achieve it (others run a separate scheme to charge consultants)

– IASME is the lowest cost on the market – £300 including cyber insurance

– Some CBs charge £2,000

– IASME charges one price including optional Governance (recognised by MoD and others)

Choice of certification body:

APMG 2 QG 7 CREST 35 IASME 49

18

Visit www.iasme.co.uk or call 03300 882 752

The scale of trust…

Self assessment Independent, third-party assessment

But it’s about doing good stuff – not the badge…

19

Visit www.iasme.co.uk or call 03300 882 752

Micro,255

Small,214

Medium,116

Large,90

SizeofcompaniescertifiedtoCyberEssentials

by IASME CBs

Note: ISO/IEC 27001 ≠ Cyber Essentials

20

Visit www.iasme.co.uk or call 03300 882 752

Where do you go from here…?

21

Visit www.iasme.co.uk or call 03300 882 752

Low level

threats

Rudimentary Insider threats Sophisticated

Advanced persistent threat/ targeted attack

Your attack surface

What’s to do…?

22

Visit www.iasme.co.uk or call 03300 882 752

IASME Information Assurance for SMEs

Identify Protect Detect and Deter Respond and Recover

23

Visit www.iasme.co.uk or call 03300 882 752

Low level

threats

Rudimentary Insider threats Sophisticated

Advanced persistent threat/ targeted attack

Your attack surface

What’s to do…?

24

Visit www.iasme.co.uk or call 03300 882 752

Cyber essentials and IASME

EU agencies and companies enable security in your supply chains for £300 per participant with

25

Visit www.iasme.co.uk or call 03300 882 752

ISO/IEC 27001

An international standard for information security

26

Visit www.iasme.co.uk or call 03300 882 752

ISO/IEC 27001:2013

27

Visit www.iasme.co.uk or call 03300 882 752

So…what will you do?

28

Visit www.iasme.co.uk or call 03300 882 752

Cyber security essentials

ISO/IEC 27001 IASME SOGP

Live ‘self-preservation’

response

Low level

threats

Rudimentary Insider threats Sophisticated

Advanced persistent threat/ targeted attack

Attack surface

Defence formation

Retaliation formation

29

Visit www.iasme.co.uk or call 03300 882 752

Cyber essentials and IASME

EU agencies and companies enable security in your supply chains for £300 per participant with