< link rel="shortcut icon" href="images/favicon.ico">


28 March 2016 - Cyber Security for SMEs - You should be doing more

The government is urging companies of all sizes to increase their resilience to cyber-attack in order to safeguard their businesses and demonstrate their security credentials to customers and partners. Pick up any newspaper and you will find yet another big company has suffered financial loss or a damaged reputation through cyber attack. December 2014: Sony/ November 2015: Talk Talk/ January 2016: Linconshire County Council. But there is a plethora of advice out there to help you.

Reasons for SMEs to do nothing:
  • "We have anti-virus"
  • "We are too small"
  • "It is too hard"
  • "It is too expensive"
  • "We do not know where to start"
  • "We wil cross that bridge later"

A sensible discussion!
  • One approach is to try to scare you to death
  • Or try to drown you in techno babble
  • Or push "silver bullet" products
  • Need to avoid these routes and keep it practical and grounded

  • Cybercrime, e-crime, computer crime - it's all crime
  • Cybercrime: computer as tool or computer as target
  • Same old crimes are committed in new ways: destruction, sabotage, theft, fraud and extortion
  • Jargon terms: botnet/ddos, malware/exploits, spear phishing
  • Meaningful terms: sledgehammer, lock pick, con trick
  • Cyber threat actors: nation state, state proxy, organised criminal, hacker, hacktivist, competitor, journalist, researcher, partner, employee
  • Internet malware: exploit kits - breaking and entering
  • Internet malpeople: phishing or spear phishing - deception
  • Why should SMEs get cyber secure: (a) Theft, compromise or destruction of critical assets (b) Useful target practice for criminals (c) Stepping stone to bigger targets (d) Free processing power ("botnet") (e) Supply chain contracts: PCI-DSS, ISO27001, Data Protection Act, Freedom of Information Act, Official Secrets Act, etc.
  • "My key issue? Individuals and SMEs who have no mature risk management capability let alone cyber security" - Jamie Saunders, Director of National Cybercrime Unit, 30 October 2014
  • Simple risk management: assets, threats and vulnerabilities, e.g. Threat = hackers, Vulnerability = weak passwords, Asset = customer data, credit card data, intellectual property


Cyber Essentials/Cyber Essentials Plus
  • Basic cyber security hygiene
  • Reduce vulnerability to basic cyber attack
  • Demonstrate security credentials to customers, investors, insurers, regulators

1. Boundary firewalls and Internet gateways
  • Aim: protect information, applications and computers against unauthorised access and leakage
  • Install firewalls and gateways
  • Configure and maintain rules
  • Change default passwords to strong
  • No remote administrator access

2. Secure configuration
  • Aim: configure computers and network devices to reduce inherent vulnerabilities and provide minimum required service
  • Remove unnecessary user accounts
  • Change default passwords to strong
  • Remove unnecessary software
  • Disable "auto run" feature
  • Set up personal firewalls on PCs

3. Access control
  • Aim: ensure only authorised people have special access privileges and others have minimum required access
  • Formalise account creation
  • Strong user passwords
  • Restrict special access privileges
  • No admin access to email or Internet
  • Regular admin password change
  • Remove old and dormant accounts

4. Malware protection
  • Aim: ensure malware protection software is installed and kept up-to-date
  • Install malware protection software on all devices
  • Keep malware protection software up-to-date
  • Configure to scan files and websites when accessed
  • Configure to scan all files daily
  • Configure to avoid blacklisted websites

5. Patch management
  • Aim: ensure all software is kept up-to-date and has the latest security patches installed
  • Use fully licensed and supported software
  • Apply software updates and security patches when they become available
  • Remove out-of-date (unsupported) software

  • Think passphrase rather than password - keep them LONG
  • Consider getting a password manager (e.g. LastPass) enhanced with two-factor authentication (e.g. Yubikey)
  • Treat wifi/wireless as inherently insecure
  • "The Cloud" = someone else's (fallible) computer
  • Encrypt sensitive information - especially on "the Cloud"
  • Employ segregation to divide up data, process, machines, etc
  • Backup data regularly - and backup your backup - and not just on "the Cloud"
  • Have an incident response/business continuity/crisis management plan ready and regularly tested/updated
  • Be super-cautious publishing anything on Facebook, Twitter, LinkedIn, etc - even seemingly innocuous information
  • Internet-enabled devices (kettles, toys, etc) are inherently insecure and can leak confidential data or act as insecure backdoors


Steps along the cyber security journey
  • Do nothing
  • Cyber Essentials: Self-certification independently verified
  • Cyber Essential plus: External testing and certification
  • 10 Steps to Cyber Security
  • ISO27001 information security standard

Even more secure
  • CHECK and CREST information security accreditation standards
  • Vulnerability scanning: technology assessments
  • Penetration testing: "ethical hacking" service
  • CBEST and STAR: intelligence-led penetration testing

Useful links
Free online training course (general public)
Free online training course (SMEs)
So, stay safe and at the very least just do these FOUR things:
  • Unique long passwords for each application
  • Two-factor authentication wherever possible
  • Regular software patching for each application
  • Don't open emails, attachements etc, if you don't know who they are from

Richard   M.Inst.D, FRSA

Blog Archive:
1. Blog: Introduction - March 2016