The chief of a UK information assurance firm has urged the cyber security industry to improve its engagement with small and medium-sized enterprises (SMEs).
“There is a lot of focus from the information security industry at the high end,” Emma Philpott, chief executive of the IASME Consortium, told the ISSE 2015 security conference in Berlin.
“The approach has to be simple, there must be no cyber speak, SMEs should not be made to feel bad and the cost must always be as low as possible when engaging with SMEs,” she said.
Philpott said it is also important to focus on the positives, encourage SMEs to take small steps towards better cyber security and to reward any progress made.
Engagement by the information security industry is necessary, she said, because SMEs typically do not bother about cyber security.
The main reasons for this are that SME customers seldom ask for information assurance, SMEs do not understand the threat to their business – especially from cyber crime – SMEs do not know what to do, expertise is expensive and SMEs are typically too busy keeping their business afloat.
“Another key problem is that SMEs do not hear about other SMEs being breached in cyber attacks, either because those SMEs targeted attempt to keep it quiet or they simply do not know that they were breached,” said Philpott.
As a result, there are typically very low levels of cyber security in SMEs and even larger companies.
“The assumption is that the levels of cyber security are higher than they actually are, but most SMEs are doing nothing, which is quite shocking,” she said.
Another common problem is that cyber security requirements are not flowing down the supply chains because SME suppliers are often not able to meet the requirements, which are routinely overlooked.
“Companies are making exceptions for suppliers not able to meet the cyber security requirements, which is introducing key vulnerabilities for the whole supply chain,” said Philpott.
Essential security controls
In an attempt to raise the cyber security posture of all UK companies, the government developed the Cyber Essentials Scheme (CES) in collaboration with IASME and other partners.
The scheme is based on research findings that many companies that are breached typically lack basic security controls.
CES identifies five essential security controls and enables companies to obtain certification that they have implemented these controls.
The UK government mandated CES certification for all suppliers handling sensitive or personal data from 1 October 2014, with an initial focus on the healthcare and military sectors.
“The five technical controls are extremely basic things like anti-malware, patching, access control, firewalls and network management, yet they are not being done by many companies,” said Philpott.
The basic certification is awarded on a self-assessment checked by an assessor, but it has to be signed off as being a true assessment by a board member.
“This is powerful because it forces boards to take responsibility for the cyber security of their companies as they would be guilty of fraud if they were found to have signed off an assessment that made false claims,” said Philpott.
CES Plus is the audited version and includes internal and external testing. Both versions can be combined with IASME’s governance certification, which includes insurance and support.
CES accreditation finds little IT security awareness among SMEs
Since CES was introduced in April 2014, IASME has received 460 applications for accreditation, of which 258 received CES accreditation and 171 combined CES and IASME governance accreditation.
Applicants have included companies of all sizes, said Philpott, but the largest number have been micro enterprises. “That’s brilliant and just what we want,” she said.
Through the accreditation process, IASME has learned that most SMEs do not have a good idea of the concept of a network boundary, do not realise that even if they outsource security they are still responsible and do not realise anti-malware is needed on all devices, not just desktop computers.
Many also do not realise they need to change default passwords, especially on routers, and that the home office environment needs to be protected.
“And the biggest reason we have seen so far for companies failing to achieve accreditation is their dependence on non-supported software, which is usually Windows XP,” said Philpott.
In closing, she reiterated her call on the information security industry to engage with SMEs to make cyber security more accessible: “The levels of cyber security are incredibly low in SMEs, which typically need the help of an external team to implement. They want to be secure, but it has to be easy and affordable.”