Compliance & Security for the SME
Definition of an SME An SME is defined as: Turnover of less than ÂŁ5 million Less than 250 employees
THE SME NOW
The Pain 80% of Malware easily targets the SME 70%+ of SME are trivially breached
Misplaced accountability Vendor confusion
SME view of Compliance
My web designer does my website What's a cookie? My bank does my PCI How many pages?
SME view of Information Security I have [often free] anti-virus, that stops all attacks My ISP stops hackers Windows update takes too longer What are application updates? I wont get hacked, I am too small? Have you seen this funny cat picture?
WHAT HAS BEEN OBSERVED
5 Common Obligations 1.Data Protect Act 1998 2.Privacy and Electronic Communications Regulations 2003 3.Payment Card Industries Data Security Standard 4.Consumer Protection (Distance Selling) Regulations 2000 5.Email Privacy and CAN-SPAM
5 Common Failings 1. 2. 3. 4. 5.
Weak passwords [insert name here] cloud storage No idea what information is held AV/AM out of date by six months
WHAT CAN WE DO
Starting a Change IT is a business enabler, not a business. Lets talk business. Stop using the latest buzz words. Compliance is NOT Security Look long term
Control Access to Information Make Regular Backups & Test! Prevent Data Theft Protect Assets Strengthen Physical Security Educate and Train Staff Plan for Information Security Handle Security Incidents
Hedgehog provides Vulnerability Management Regular Penetration Testing IASME consulting ISO:27001 consulting Information Security Management