Page 1

Compliance & Security for the SME


Definition of an SME An SME is defined as: Turnover of less than ÂŁ5 million Less than 250 employees


THE SME NOW


The Pain 80% of Malware easily targets the SME 70%+ of SME are trivially breached

Misplaced accountability Vendor confusion


SME view of Compliance

My web designer does my website What's a cookie? My bank does my PCI How many pages?


SME view of Information Security I have [often free] anti-virus, that stops all attacks My ISP stops hackers Windows update takes too longer What are application updates? I wont get hacked, I am too small? Have you seen this funny cat picture?


WHAT HAS BEEN OBSERVED


5 Common Obligations 1.Data Protect Act 1998 2.Privacy and Electronic Communications Regulations 2003 3.Payment Card Industries Data Security Standard 4.Consumer Protection (Distance Selling) Regulations 2000 5.Email Privacy and CAN-SPAM


5 Common Failings 1. 2. 3. 4. 5.

Weak passwords [insert name here] cloud storage No idea what information is held AV/AM out of date by six months


WHAT CAN WE DO


Starting a Change IT is a business enabler, not a business. Lets talk business. Stop using the latest buzz words. Compliance is NOT Security Look long term


Control Access to Information Make Regular Backups & Test! Prevent Data Theft Protect Assets Strengthen Physical Security Educate and Train Staff Plan for Information Security Handle Security Incidents


Hedgehog provides Vulnerability Management Regular Penetration Testing IASME consulting ISO:27001 consulting Information Security Management

Compliance and Security for the SME  

Slide deck from infosecurity europe 2011. My presentation on compliance and security for the small and medium sized business.