PLEASE SHARE

    
 

Cyber Security for SMEs

information-security

 NOTE: Best viewed on a Desktop PC; else table is difficult to view. Sorry!

Comprehensive cyber security is expensive. But that’s no excuse for not doing the simple things that will protect you most of the time.

Think of it this way: just because you can’t afford 24-hour manned patrol of your premises doesn’t mean you should go home at night leaving all the doors unlocked and the windows wide open.

Here are ten activities, recommended by the UK National Cyber Security Centre, that we’ve analysed to demonstrate how cyber security impacts all business processes. We've added some columns to help evaluate those activities.

10 Precautions to Protect Your Business Against Most Cyber Security Threats

#

Precaution

P-D-C-A Cycle

Activity type

Focus on

Plan

Do 

Check

Act

Proactive

Reactive

Infra*

People

1

Cyber Project Team

Involve functional heads from across the organization. Analyse ICT systems and requirements. Develop Policies. Develop Project Plan. Implement & Control Plan. Establish cyber incident management team.

P

 

 

 

X

 

 

X

2

Manage User Privilege

Establish account management processes and limit the number of privileged accounts.  Limit user privileges and monitor user activity. Control access to activity and audit logs.

P

D

C

A

X

 

 

X

3

Network Security

Protect your networks against external and internal attacks. Manage the network perimeter. Filter out unauthorised access and malicious content. Monitor and test security controls.

P

 

C

 

X

X

X

 

4

Control Removable Media

Produce policy to control all access to removable media (e.g. flash drives). Limit media types and use. Scan all media for malware before importing into corporate system.

P

D

 

 

X

 

 

X

5

Home & Mobile Working

Develop Mobile Working policy and train staff to adhere to it. Apply the secure baseline ** build to all devices.

P

D

 

 

X

 

 

X

6

Malware Prevention

Produce relevant policy and establish anti-malware defenses that are applicable and relevant to all business areas. Scan for malware across the organization.

P

D

C

 

X

 

X

 

7

Training & Awareness

Develop user security policies covering acceptable and secure use of ICT systems. Establish training programme including induction training. Maintain awareness through ongoing refresher training or eve4nts.

P

D

 

 

X

 

 

X

8

Secure Configuration

Apply security patches promptly and maintain secure configuration of all ICT systems. Create a system inventory (information assets) and define a baseline build** for all ICT devices.

 

D

 

 

X

 

X

 

9

Monitoring

Establish a monitoring strategy and develop supporting policies. Continuously monitor all ICT systems and networks. Analyse logs for unusual activities that could indicate an attack.

P

 

C

A

 

X

X

 

10

Incident Management

Establish an incident response and disaster recovery capability. Produce and test incident management plans. Provide specialist training to the incident management team. Report criminal incidents to law enforcement.

 

 

C

A

 

X

 

A

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

* - Infrastructure (hardware and software)

**- Security baselines: Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization.

For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is the need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.

Analysis of the 10 Precautions Against Cyber Security Threats

Gap Analysis Tool ISO 27001

 

There are three points we’d like you to notice about the table:

  1. We’ve characterised the activities using the P-D-C-A Cycle (Plan-Do-Check-Act) and you’ll notice how much effort must be devoted to planning and the development of policies and strategies suited to the nature of the business.
  2.  
  3. Considering the business from a cyber security point of view will be a significant learning experience for many of the Cyber Project team. Some training of the team may be needed especially regarding incident management.
  4.  
  5. The majority of activities are proactive rather than reactive and there may well be a resource deficiency relating to activities such as white hat testing of ICT systems. External resources may be required from time-to-time to test systems and maintain effectiveness.

     

    Notice too how the focus is predominantly on people. Those of a technical bent often seek solutions to problems in technology (where they’re comfortable) rather than in people (where they’re less comfortable). But experience shows that the weakest link in cyber security is people. Training and awareness must be a major component of any effective plan to achieve and maintain cyber security.

Further points of interest

Note 1: And it’s not all about you!  With the interlinking of information management systems nowadays SMEs are often targeted as a weak link through which to breach the security of their customers, who may be large multinationals (and so the real target).

Note 2: Cyber security is NOT the same as Information Technology Security. Physical security measures and the protection of hard copy data also offer vulnerabilities.  See Annex A of ISO 27001 for a listing of 100+ such vulnerabilities and examples of typical controls use to reduce risk.

Note 3: Consider certification to ISO 27001, the information security management system. Customers and potential may well respond very positively to your holding such certification.  ISO 27001:2013 is the internationally-recognised Standard for an Information Security Management System (ISMS).

An ISMS provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the protection of information assets to achieve business objectives based upon a risk assessment and the organization’s risk acceptance levels (that is, the level of risk you are prepared to accept).  

An ISMS is designed to effectively treat and manage risks. Analysing requirements for the protection of information assets and applying appropriate controls to ensure the protection of these information assets, as required, contributes to the successful implementation of an ISMS.

Check out the links above to learn more about ISO 27001 and the courses we offer, including ISO 27001 Lead Implementer Training for those wishing to implement an information security management system.

Visit the ISO 27001 Lead Implementer Product Page

 

Written by Dr John FitzGerald

Director and founder of deGRANDSON Global. After 15 years in the manufacturing industry, John has spent the past 25 years training, consulting and auditing ISO 9001 and other management systems.

Subscribe to Email Updates

FOLLOW US ON...

Recent Posts

Posts by Topic