SMEs often a ‘weak link’ for cyber attacks, experts warn

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computerworlduk.com/news/security/3583875/smes-often-a-weak-link-for-cyber-attacks-experts-warn/

Cyber security professionals need to improve the way they communicate risks
to SMEs, according to the Institute of Chartered Accountants in England and
Wales (ICAEW).

During a panel debate at the Parliament & Internet conference the
association claimed that a “language disconnect” between small businesses
and security experts is leaving SMEs open to online attacks.

George Quigley, chair of the ICAEW’s IT faculty, said that too many SMEs
are yet to be convinced that online security is particularly relevant or
worthy of prioritisation and need more evidence before spending money.

He said: “We can use basic guidance to get rid of 80 percent of the
problem. But security professionals need to be better at explaining what it
means for the business. SMEs are not going to buy security products if they
don’t understand them.”

Firms “not getting basics right”

Gerry Penfold, risk consulting partner at KPMG, echoed Quigley’s view that
“many organisations are still not getting the basics right”.

He suggested that part of the issue is that firms need to see security as a
business issue first and foremost rather than just a technical issue for
the IT department.

Penfold advised: “Organisations have to accept a degree of risk. They
should identify critical information assets and make them their highest
priority for protection.”

Simon Kendall, assistant director for cyber security at the Department for
Business, Innovation and Skills (BIS), agreed that “ensuring a basic level
of protection cuts out most of the threat”.

He encouraged businesses to certify themselves for the ‘Cyber Essentials’
standard, launched by the government in April to allow organisations to
prove that they are working to protect themselves against the risks of
operating online.

Kendall said the scheme “points to what good looks like” and “represents
the basics” that businesses should be doing to protect themselves.

Mandatory disclosure

However Quigley suggested current initiatives do not go far enough, and
said that the government should consider introducing mandatory disclosure
rules for breaches involving personal data loss.

He said such a rule would “mean that firms can see the issue in full” and
“realise the relevance” of protecting themselves.

Gerry Penfold, risk consulting partner at KPMG, agreed that the government
should consider obliging firms to disclose serious breaches, as is
currently the case in the US.

He said: “The government hopes we can get there without mandatory
reporting. But we don’t seem to be getting there,” Penfold said.

Kendall said that the current government did not want to enforce disclosure
of breaches. However he indicated that an upcoming review could lead to a
change in policy.

He said: “The current government says that mandatory breach disclosure is
not something they want to enforce, as businesses don’t want to air dirty
laundry and they feel that if the UK goes down this route alone, it could
damage our reputation.”

But he added that there is an election coming up and the official cyber
security strategy is due to be reviewed and updated shortly after that.

“A lot of ministers say it [online security] remains a considerable threat,
so we can expect something to come out from the strategic review”, he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!