Thursday, 16 February 2012

2012 and the Cyberthreat a hard year ahead

                                                                  
The following information was extracted for
an artical by Ken Dunham
a Fellow of the ISSA US Chapter.

The Cyberthreat is a world wide fact and does not discriminate with the size of business your running.

Some threats:

Duqu – is a dirty cousin of the stuxnet virus which highlights the international cyberwarefare and espionage still going on between different countries.  

Zues – a theat to the financial services sector this continues to plague business and its counterpart Zitmofor mobile devices.

Zeroaccess – is a rootkit virus with increased stealth and tripwires for it own protection

Facebook still continues to have its attacks from various criminal organisations and other hacker groups.
These are only a few of the threats and its a case of when and not if i will be hacked or have a security issue from malware or virus.

There are a lot of cybercriminals out there but be assured there are also alot of cyber cops who are trawling the net and working hard against the criminal/hackers.
But they do also need your help as in introducing a Cyberthreat assessment and keeping your software up to date and patches when released .

2012 has lots of events ahead like the Olympics and the Euro championships, so the scrams will be starting therefore the need for a security of your information and vigilance will be a good start

In addition  staff awareness and a contingence plan will also help.  


www.iainyoungitconsulting.co.uk  

Tuesday, 14 February 2012

The Business case

A business case for using a Information security management system within a Small Business


The business


As a small business you should be aware of what information you hold, this can come in various forms of media.
If you are not sure of what information is it can be described as:  
Data that (1) has been verified to be accurate and timely, (2) is specific and organized for a purpose, (3) is presented within a context that gives it meaning and relevance, and (4) that can lead to an increase in understanding and decrease in uncertainty.


It can come in various forms eg, printed, written, oral, and visual and electronic. So as a business no matter type you are dealing with. It is all information. 


So then a problem come when classifying it and this can cause confusion examples of classifications are as follows:
Public – no effect on business operations or image
Sensitive – will have minor effect on business and brand
Private – will have personal effect
Confidential – can have a severe effect on business and brand.


As your business runs it deals with all forms of information and therefore you need to consider some form of management and also the legal requirements on the information you hold and how you use it.


Situation


Business manager goes to conference and take company laptop. Looses it on flight and has the only file of a new product the company plan to release.
The laptop has no passwords on it and no other security on it. Later that month a competitor releases new product which is what you had planned.


Business now goes under.
The company has now formal security policy or management system.


So what happens next?


Company decides to adopt an information security management system and this can be easily carried out with the right information and attitude.


Although this is a short but extreme scenario it can happen and prevention is better than the cure.


Benefits  


·         It reduces the risk of losing information
·         Minimizes the financial impact on company of security breaches
·         Increases efficiency by setting a security standard
·         Making the information more reliable


Costs


Organizational costs


·         Need to raise awareness for both staff and management
·         Adoption or adaption or a security policy.
·         Possibly having to release staff for none compliance


Design & development costs


·         Carrying out review of security
·         Preparation of policies guidelines and procedures.
·         Redesign of controls


Minimizing costs and time


It can take time to implement the changes needs and the knowledge required can mean a large outlay for training own staff to do this.


As a small business it can take a lot time that could be spent on business development so can be offset by using a information security consultant as they have the knowledge and can spend the time on the implementation and can take staff on awareness training minimizing the time lost by having several members of staff out of production at the same time.


The drafting of policies and procedures can take time as well but the consultant will have the knowledge to draft and with some consultation can draft specific policies for certain procedures within company.


The hardware side can be dealt with by the consultant too as they will have knowledge of certain products suitable for the role required.



Friday, 10 February 2012

Awareness and Compliance

Compliance and awareness                                                       

As a small business or sole trader you normally are running around with various hats, e.g. sales rep, manager, PR and H&S plus many more. While doing all these roles sometime information and data aren’t realised as one of the main things that keep a business going. In the current climate with cloud computing and social media, technology advances in hardware, business owners and managers can be in a constant state of confusion and bewilderment.

This is where and external head can ease the madness and it and information security consultants’ can come into their own with sensible and independent for the SMB’s.The question is for SMB owners and management are you aware or the regulations and what is meant by compliance, if not your business can suffer from lack of knowledge.

But cannot plead ignorance as all the regulations are available in various forms.
Compliance with the regulations is mandatory, like the data protection act, the computer misuse act, the Trade Description Act etc. Some of these are industry specific and if not complied with can lead to fines or even in the case of the Health & safety Act lead to criminal convictions and prison.
Therefore it is beneficial to small businesses to be aware of them even if they may not understand them. That is where a consultant can advise them.

Breaches of the data protection can be costly to companies, both in fines and the loss of credibility could break a business.So business owners don’t be confuddled. Seek advice and help to introduce policies that will lead to compliance and thus reduce risks.