“There's a lot of great talk, but most companies do nothing (about cyber-security). It's shocking. And the flow down from big companies, passing best practice down the supply chain, is not working, so big companies make exceptions and work with supply chain companies who may implement nothing,” said Dr Emma Philpott of IASME and managing director of the UK Cyber Security Forum at the ISSE conference in Berlin today.
In her presentation, Engaging small companies in cyber security Philpott explained how most successful breaches are due to lack of simple controls. Even some relatively secure companies missed some of the technical details of ensuring control. Or decided not to do it as a risk-based decision.
IASME itself started as a government funded initiative to help SMEs who struggled to get ISO 27001. It worked, “but most wondered, why bother? It was not asked for by customers up and down the supply chain.”
The reasons are varied. Many are simply not aware that cyber-crime is happening on a massive scale, they think hacking is about spying is by governments so not relevant to them. They only hear about big company breaches and so think it's not happening and it is. Or they think that it's too complicated, they don't understand it and view as too difficult and expensive. And it is unaffordable to get outside help for most small companies. Plus they are busy with cash flow or staff issues, so see cyber-security a peripheral issue in small companies – and some not so small companies. Plus they need to be encouraged and incentivised, not chastised for their failings or they switch off and abandon the process.
Philpott explained and championed the UK's Cyber Essentials scheme, noting how it is now mandated in many government contracts for all the supply chain. But conceded that there has been patchy implementation – including use by health care, treasury, and expected in the Ministry of Defence and local government. IASME, which is a tester for Cyber Essentials, also provides a ‘governance' wrapper on top – both a self assessment level and an audited version – with a helpline for companies when they get breached – including confidential legal, technical and PR advice.
Out of 460 companies tested by IASME for Cyber Essentials, about 40 percent (184 companies) initially failed, but with advice then implemented, this comes down to 4.5 percent (25 companies) who actually failed. The biggest reason for failure was continued use of Windows XP by both big and small companies, as unsupported software is not allowed. Many then passed after six months. About 40 percent chose to also answer the governance questions.
However, many get assessed to win contracts, and only 55 per cent then chose to be Reassessed a year later, thus 45 percent lapsed. The 460 figure accounts for half of all companies that are Cyber Essentials certified – whereas there are 23 million SMEs in Europe, hence the scope to do more is huge.
While Cyber Essentials is often criticised for setting a low bar, delegates spoken to by SC were receptive to the idea that there is a need to get a baseline in place, and at least do something, and were in agreement that the basics are not being carried out by many companies, not just smaller organisations – plus the smaller organisations did often represent a supply chain risk.
Among other concerns Philpott noted that small companies often had a lack of awareness of a network boundary and so did not understand that phones and tablets need to be considered when implementing antimalware. They also often don't change the password on their home router, whereas home offices are often important for micro-businesses. And those who had contracted out their IT and support often didn't realise they are still responsible, though in some cases their IT supplier had refused to tell how to implement some safety measures or explain what they were.
Among Philpott's key points for improving security at SMEs is that: “Understanding is low among SMES who need a reason to implement security. We have only just started. It has to be simple. Small steps should be rewarded at each point (eg certification), and keep costs low.”