1 / 26

SMEs, Information Security, and the Bottom Line

SMEs, Information Security, and the Bottom Line. Richard Henson, University of Worcester Bruce Hallas, Marmalade Box. Objectives of Session. Accept that: latest survey statistics show that information assurance is not meeting expectations

wei
Download Presentation

SMEs, Information Security, and the Bottom Line

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SMEs, Information Security, and the Bottom Line • Richard Henson, University of Worcester • Bruce Hallas, Marmalade Box

  2. Objectives of Session • Accept that: • latest survey statistics show that information assurance is not meeting expectations • current perceptions of information security in most SMEs across Europe is part of the problem • economic factors currently working against information risk management could be turned into drivers for good practice • businesses in some parts of the world are taking information assurance very seriously; knock-on effects for competitiveness of European businesses…

  3. Information Security and Information Assurance • Information Assurance is the practice of managing information-related risks • also known as Information Risk Management but subtle differences • relates closely to Information Security • security tends to focus more on operational management aspects • assurance looks at the management processes that drive security operations

  4. Effectiveness of Information Assurance • PriceWaterhouseCoopers survey (2008): • US, data breaches reported • Germany, • UK, data breaches reported • PriceWaterhouseCoopers (2009): • US, data breaches reported • Germany, • UK, data breaches reported

  5. Why not headline news? • Problem been brewing for some time… • Organisations certainly haven’t been doing nothing to combat risk… • problem regarded as complex • taking proper precautions expensive • wrong people often targeted to roll out a solution • Still not getting it right… • and this is large organisations and public sector with all their available resources!

  6. The SME and Data Breaches • May not even know if they’ve had a breach… • no legal obligation to disclose in many countries • so if they do find they’ve had a breach, just keep quiet? and fix it? • This has been going on for years, and SMEs have been “getting away with it” • Current situation: • no publicity about data breaches… • huge amount of publicity about the recession… • forgiven for thinking there is nothing much for them to worry about regarding information security!?!

  7. Why don’t organisations do Information Assurance Properly? • Complexity relates also to technology and organisational structure • IT manager • often expected to safeguard information systems • usually not in a senior role • IT not seen as of strategic importance • Reality: “information security is everyone’s responsibility” • Need to understand cash flow implications • needs a senior management steer

  8. Benchmarking Good Information Assurance practice • At one time, many “standards”: • Quote from Tanenbaum… wait a year… • ISO 27001 now generally accepted • Research on ISO 27001 certificates awarded: • within Europe • outside Europe • as the recession has “bitten”

  9. Research Findings • see paper… quoted per capita… • Within Europe • UK high • Austria, Czech Republic, Hungary high • elsewhere low… • Outside Europe • mostly low • Japan and Taiwan very high.. Why?

  10. ISO 27001 over time • Certificates awarded from late 2008 on… • no appreciable slow down • recession affect not significant • same trends across countries/continents • big jumps • Japan & Taiwan • Austria, Hungary, Czech Republic • little movement • France • Africa • Australasia

  11. Policy and Reality • Many survey methods use a low baseline for measuring organisational information assurance: • existence of an information security policy • Yet on its own such a document has no effect… To be following just “thespirit” of ISO27001 requires: • procedures • risk assessment • education • putting controls in place

  12. UK, West Midlands SMEs and ISO certification • Small online survey conducted by Worcester University (early 2009) • many showed little interest beyond acquiring an information security policy • itself essentially a tick box exercise… • main driver for following ISO 27001 (in spirit if not in full certification) was business partners • 7% of sample had received such a request • main drivers against certification were cost and lack of a perceived need • Backed up BSI (2008) findings - all organisations • 47% getting certified because of market pressures!!

  13. Conclusions • Continuing upward trend in times of recession an encouraging trend • Complex picture: • although most businesses are SMEs, most obtaining ISO certification are not SMEs • but many of those larger businesses obtaining ISO27001 will have SMEs in their supply chain… • will seek to influence SME partners to also get certification

  14. What has most impact on Information Security choices for SMEs? • Two areas identified and researched by UK Cybersecurity KTN special interest groups, supported by ESRC (Economic and Social Science Research Council): • Human Factors • Economics of Information Security (EIS)

  15. Human Factors • Human Factors groups identified many organisational problems • borne out in the high profile data breaches in government and large corporations • Conclusion: • Labelled as an IT problem • actually a management problem • organisations cannot improve information security with existing structure • information security part of information management • information management must be strategic and policy must apply to all employees

  16. Economics • Hard to apply to the balance sheet • a data breach might or might not happen… • in absence of hard data, rejected in risk assessment • Increased research since 2002: • many good economic “drivers” have emerged to encourage good information security

  17. Human Factors or Economics? • Human Factors groups • not much direct interest to SMEs • but will follow a change if seen as having a positive effect… • e.g. “taking” information management away from IT and making it a management issue • Economics group • of immediate interest to SMEs…

  18. SMEs and Motivation to improve Information Security • Large organisations slowly recognising that behaviour needs to change… • Small organisations more focussed on survival and making a profit… • more likely to be persuaded by economic arguments: • positive: “improve reputation; get new customers” • negative: “avoid costly data breaches, fines, etc.”

  19. Getting that Return on Investment • SME must have value for money… • EIS: basis for specifying a return on information security investment … • can give a measure of the value of data • risk assessment can predict the chance of a breach in next 5 years • can predict the cost of that breach…

  20. Getting a return on hardware • Another big issue for SMEs • attracted by the “black box” solution to security • often reject the “people” solution • will seek to blame people when black box doesn’t deliver… • EIS could support the providing of ROI data on black box security solutions • Indirectly focus SMEs on human factors…

  21. Positive Motivators for SMEs • Having an industry-standard information security management system means they are doing all they can to protect data… • “Sell” this to: • consumers worried that their data might be compromised, and increase sales • supply chain partners who take security seriously, and increase sales partnerships

  22. Negative Motivators for SMEs • The Law… • so far, not coming down hard enough on data breaches • except in Japan! Since 2005, any organisation that holds 5000 or more records subject to heavy penalties or even jail • source: http://www.infoworld.com/d/security-central/japan-tightens-personal-data-protection-356 • “may” tighten up in Europe (2012 law – late?) • Banking Industry regulations… • PCI DSS compliance for SMEs engaged in online trading • mandatory WORLDWIDE from 1st October 2009

  23. Negative Motivators for SMEs • Operational Risk • affect on ability to trade • affect on ability to even function as a business • research shows that after a downtime of just 10 days, a business will rarely recover… • Reputational Risk • with industry bodies… • customers… • with general public…

  24. Others? • Knock-on infrastructure problems • SMEs make up 95% of businesses in UK (similar figures elsewhere?) • increasingly involved in on-line trading • easy target for criminals • recent UK experience with “chip-and-pin” • Shift in PUBLIC perception • recent surveys show people more sensitive to issues involving their data than previously • Now, data loss a regular media story…

  25. Summary of Findings • World has changed… • essential that SMEs have good information security to establish the trust necessary to do business digitally • Systems of support available (e.g. ISO27001 certification) but for a small business • perceived as too expensive even in times of boom • certainly too expensive in times of slowdown • Comparison studies with some leading economies: • most as bad as UK, if not worse • some are significantly better

  26. Summary of Findings • Need to spread evidence that company data is a valuable asset • would justify spending more to protect it • Urgent need to make SMEs more aware of the risks they are taking and consequences of a data breach…

More Related