1 / 20

SMEs: The Hacker’s Preferred Route into the Corporate World

SMEs: The Hacker’s Preferred Route into the Corporate World. Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk February 2012. The Reality. UK critical infrastructure. hacker. X. X. Internet… (600 million Gateways!). An Early Warning!.

keran
Download Presentation

SMEs: The Hacker’s Preferred Route into the Corporate World

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SMEs: The Hacker’s Preferred Route into the Corporate World Richard Henson Worcester Business School r.henson@worc.ac.uk info@iasme.co.uk February 2012

  2. The Reality UK critical infrastructure hacker X X Internet… (600 million Gateways!)

  3. An Early Warning! • In April 2009, hackers accessed data concerning technical details of a US govt fighter jet via networks with supply chain partners • http://www.nextgov.com/nextgov/ng_20090421_4305.php • Conclusion: “…there needs to be a new-order requirement on companies doing business with the federal government.”

  4. What can be done about it? • Education? • Laws? • More shiny black boxes? • The Cloud? • An information security budget? • but what is the ROI on data

  5. US govt response.. • Other 2009 examples: response to “Night Dragon” • establish a “trusted source” program for supply chain partners • VP of MacAfee offered a strategy to achieve just that: • http://www.inboundlogistics.com/cms/article/security-guard-questions-and-answers-with-dennis-omanoff/#sidebar1

  6. Predictions… • Imperva, trends for 2012: • http://blog.imperva.com/2011/12/top-cyber-security-trends-for-2012-1.html • It couldn’t happen here?

  7. UK Government Advice • CESG provides guidance and advice: • best advice appears to be based on “ISO27001 compliance” • On the CPNI website now: • guidelines include 20 named technical controls to minimize the chance of a data breach… • acknowledge no guidance on physical or behavioural controls • Is “compliance” with guidelines, standards, and regulations enough?

  8. Will “compliance” stop this? UK critical infrastructure hacker X X Internet… (600 million Gateways!)

  9. Compliance and Certification • Not just playing with words! • compliance does not require evidence to back up claims that guidelines, etc. being followed • certification only achieved through providing evidence in a systematic way to prove that the guidelines etc. are being adhered to in a systematic way

  10. ISO27001 Certification and SMEs • An ISMS has to be the way forward… • SMEs not shy of certification. Many already have: • ISO9001 – QMS • ISO14001 – EMS • ISO18001 – H&SMS • Logical next step to go for ISO27001?

  11. Research Evidence, 2008-10 • Combination of academic research… • Coles-Kemp, Barlette et al, • and corporate research: • Verizon, PWC, PGP, Symantec • Conclusions: • Main interest in ISO27001 in Pacific Rim (!)

  12. SMEs and Information Assurance • Few UK SMEs get ISO27001 certified • regarded as too time consuming, too expensive… • little ROI… • “compliance is the English way” • UK (2012) still showing little sign of: • bring in new laws… • educating about information security • so why bother!?!?!

  13. There’s a whole world out there to do business with!

  14. The Global Supply Chain • Global companies merely seeking “compliance” from partners taking quite a risk… • Pacific Rim supply chain leaders/hubs becoming increasingly ISO27001 (not compliance) focused • US getting its act together regarding supply chain hubs/partners via dept of homeland security & focus on cybersecurity

  15. Global Enterprises… which SME would you trade with? • Information security not the main factor • But what if the other factors are roughly equal? • which would you choose? • certification (evidence…) • or “compliance” (talk…) • Real danger that UK SMEs could lose out on contracts on information security grounds… • may already be losing out!

  16. Asia (Pacific Rim) • Led by Japan, Taiwan… • Certification is supply chain driven • Impressive take up of ISO27001 certification (approx 80% of world’s ISO27001 certificates)

  17. US has got the message… • Latest from Omanoff [VP McAfee] (29/10/11): • “… an increase in attacks targeted at industrial systems and embedded devices has raised the risk that manufacturing facilities and other supply chain links could be infected.”

  18. UK SME Priorities for 2012 • Omanoff quote used on a UK technology reporting website (v3.co.uk) • http://www.v3.co.uk/v3-uk/news/2121005/mcafee-offers-advice-securing-supply-chains • Same website: survey for businesses: “main priority for the new year?” • 98% reducing costs • 1% make more use of social media & cloud • 1% improve information security

  19. Not all doom and gloom! • What if UK SMEs can be convinced that better information security brings about “reducing costs”? • Whole academic field based on such matters: “Economics of Information Security” • findings rarely get to SMEs… They should!!!

  20. The Future • SMEs will find more stringent requirements on security from global supply chain hubs/leaders • Evidence of good information security will be a key factor in getting contracts • that means education, and certification… • UK government needs to use every means possible to directly support SMEs in helping themselves • offering funding top-down to agencies and expecting it to filter to SMEs seems naive

More Related