Page 1

Compliance & Security for the SME

Definition of an SME An SME is defined as: Turnover of less than ÂŁ5 million Less than 250 employees


The Pain 80% of Malware easily targets the SME 70%+ of SME are trivially breached

Misplaced accountability Vendor confusion

SME view of Compliance

My web designer does my website What's a cookie? My bank does my PCI How many pages?

SME view of Information Security I have [often free] anti-virus, that stops all attacks My ISP stops hackers Windows update takes too longer What are application updates? I wont get hacked, I am too small? Have you seen this funny cat picture?


5 Common Obligations 1.Data Protect Act 1998 2.Privacy and Electronic Communications Regulations 2003 3.Payment Card Industries Data Security Standard 4.Consumer Protection (Distance Selling) Regulations 2000 5.Email Privacy and CAN-SPAM

5 Common Failings 1. 2. 3. 4. 5.

Weak passwords [insert name here] cloud storage No idea what information is held AV/AM out of date by six months


Starting a Change IT is a business enabler, not a business. Lets talk business. Stop using the latest buzz words. Compliance is NOT Security Look long term

Control Access to Information Make Regular Backups & Test! Prevent Data Theft Protect Assets Strengthen Physical Security Educate and Train Staff Plan for Information Security Handle Security Incidents

Hedgehog provides Vulnerability Management Regular Penetration Testing IASME consulting ISO:27001 consulting Information Security Management

Compliance and Security for the SME  

Slide deck from infosecurity europe 2011. My presentation on compliance and security for the small and medium sized business.