The seven categories of challenges listed in the ENISA report and faced by SMEs, are:
- Low cybersecurity awareness of the personnel.
- Inadequate protection of critical and sensitive information.
- Lack of budget.
- Lack of ICT cybersecurity specialists.
- Lack of suitable cybersecurity guidelines specific to SMEs.
- Shadow IT, i.e. shift of work in ICT environment out of SME’s control.
- Low management support.
A challenge for SMEs is to understand what guidelines and standards are available to them and how they access the information in regard to them. The simple answer of course is, ‘Google it’. But that really is simple and like most things that are very simple, doesn’t quite hit the spot. The vast majority of white papers and the like, are either written by the large consultancies and aimed at the larger enterprises or, are written by security product vendors and aimed at selling a particular product. Neither really covers what an SME needs to know.
The UK Government was an early adopter in standards for Cyber Security via a British Standard known as BS7799 which has since morphed into an international standard, ISO27001:2013. ISO27001 describes an approach for the design, implementation, operation, control and improvement of an Information Security Management System (ISMS), which for many SMEs require external expert assistance to understand and implement. Whilst H2 happily provide that level of assistance, and has experience going back to the old days of BS7799, we recognise that for the vast majority of SMEs, ISO27001 may be a step too far and certainly too expensive. That said it may be suitable in some cases, where perhaps a large amount of personal data is held, or maybe in a particularly high tech business that needs to demonstrate its commitment to keeping its data, and that of its clients, secure. In those cases often they choose to use the standard as a guideline rather than to go for certification.
The UK Government has subsequently introduced Cyber Essentials and Cyber Essentials Plus and have mandated that in order for a company to do business with the public sector, they must have one of these certifications.
The difference between the 2 levels of certification is fairly simple. The first level is essentially a self-assessment which assesses your levels of protection against a wide variety of the most common cyber attacks. Whilst this is primarily a paper based exercise SMEs often find that they need assistance in completing the questionnaire from someone with the relevant knowledge and experience. Cyber Essentials Plus requires an SME to have Cyber Essentials first and then progress to a hands-on technical verification, requiring access to an SMEs systems to verify the answers given in the Cyber Essentials questionnaire. Once again, many SMEs like to have someone on board who can liaise with the assessors and manage the process for them.
There are other standards out there that can be worked towards however it think for the vast majority of SMEs, Cyber Essentials is fine. As the company grows, then a move towards a 27001 ISMS might be more appropriate. But whatever is chosen, having a standard of some sort to work to, is a very good idea.
In the coming weeks I’ll tackle the other categories arrived at by ENISA, that I haven’t yet discussed.
H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services.