1 / 23

tuas.fi

Information Security for SME sector companies CAMIM meeting, Pecs, Hungary, 5 th June 2013 Esko Vainikka, Principal Lecturer, CISSP. www.tuas.fi. Information security is an enabler.

keiko-orr
Download Presentation

tuas.fi

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security for SME sector companiesCAMIM meeting, Pecs, Hungary, 5th June 2013Esko Vainikka, Principal Lecturer, CISSP www.tuas.fi

  2. Information security is an enabler We live nowadays in an informationsocietywhere the operations of allsizecompanies & organizations and individualsbasemore and more on differentkind of information Valuableinformationinterestsalsooutsidersbecausethatinformationhasmarketvalue Allkind of information is for sale on numerouswebstores Importantinformationmustbeprotected! Concerning with information security is even very often the lifeblood for the organization’s operations Information security is an enabler for business, not a preventer for it! The big question is: Do SME sector companies understand that? If yes, are they working with theircompanies’ information security issues? www.tuas.fi

  3. Some goods for sale! Are SME sectorcompanies aware of that? Source: Internet Security Threat Report Vol 16, Symantec Corporation, 2011 www.tuas.fi

  4. Also attack tools are for sale! Source: Symantec Report on Attack Kits and Malicious Websites, 2011 Source: McAfee Threats Report: Fourth Quarter 2011, 2012 How about, areSME sectorcompaniesawareof that? Further, dotheyknow, that the internet is alsofilled with allkinds of freetools and theirguidelines?

  5. In old times… There acted e.g. • Jesse James • Butch Cassidy • Dick Turpin • Black Bart • Billy the Kid • Dalton brothers • Bonnie and Clyde • etc. www.tuas.fi

  6. … and Now (at least partly) • We have Internet, ”Information highway”, where exist inceasingly all kinds of phenomena happened earlier along traditional highways, like • Robberies • Thefts • Blackmailingand kidnaping of informationsystemsleading to ransom (e.g. fake AV sw’s) • Almosteverysystem is connectednowadays to thisglobal data communicationsnetwork; evencriticalsystems (e.g. energydeliverysystems) • More and moreallkinds of servicesareused via internet All kinds of players are hidden along this Information highway in order to get some booties! One placeofferinginformationaboutdevicesconnected to the Internet is Shodan (www.shodanhq.com) Sven Olaf Kamphuis’ car (The man who ’nearly broke the internet) Source: The Guardian, 20.5.2013 http://www.businessinsider.com/dutchman-nearly-broke-the-internet-2013-5 www.tuas.fi

  7. Attacker types and techniques Source: IBM X-Force 2012 Trend and Risk Report, March 2013 www.tuas.fi

  8. Basic principles of Information Security – CIA-triad Confidentiality: Informationhas to beavailableonly for authorizedindividuals, informationsystems, processes, etc. Integrity: Unauthorizedpersonsorprocessescannotmodify the information Authorizedpersonsorprocessescandoonlypermittedchanges in the information Information is internal and externalconsistent (the information is reallytrue) Availability: Information and the resources of informationsystemsarealwaysavailablewhenneeded Note! Theremustbe a balancebetween the ”legs”! Don’toverdo the securitycontrols Do SME sectorcompaniesunderstandthat? www.tuas.fi

  9. Important questions relating to information assets! • What and what kind of information assets we (our company or organization) have? • How do we handle them? • What and what kind of information assets I have? • How do I handle them? • What my or our information assetsdoes some other actor (human being, company or organization) have? • How do they handle them? • How important these information assets are? • How the break of theirinformationsecuritydoesimpacton? The fundamental question is: Can SME sector companies answer to these questions? www.tuas.fi

  10. Information Life Cycle Source: Cloud Security Alliance. 2011. Security guidance for critical areas of focus in cloud computing V3.0 Do SME sector companies understand that? Are they taking into account also CIA-triad? www.tuas.fi

  11. www.tuas.fi

  12. Information security awareness A common fact is that only 20% of information security is technics while 80% is human activities A human being is the weakest link in information security caused very often by his/her unawareness about the meaning of information security and what it means in his/her operational environment (e.g. at home, at work and during business trips) Information security awareness is mandatory and unquestionably the cheapest security control How aware SME sector companies’ personnelare? www.tuas.fi

  13. Research group ’Information Security and Privacy’ • Established in 2013 (preliminary work for that in 2012) • Responsible person Lecturer, Dr.Tech. Jarkko Paavola • Members from teaching staff (e.g. Principal Lecturer, Phil. Lic., CISSP Esko Vainikka) and students, and from other our personnel • All the research is tightly integrated with our educational courses • Goals (short and long term): • To study what is the real level of information security practices in SME sector companies in Turku region. To study also what kinds of information security risk management practices they have and do they really understand information security risks in different environments. To create a plan with some partner from SME sector companies for improving these practices and to execute the plan. To extend that study to other regions in Finland and abroad. • To create guidelines and some kind of survival kit in information security field for SME sector companies • To create an information security risk management method for SME sector companies • To make co-operations in information security awareness area with other players (business, academic, etc.) • Applicable scientific research on interesting information security and privacy related topics with industrial and academicpartners in Finland and abroad www.tuas.fi

  14. What has happened in 2012 IBM X-Force 2012 Trend and Risk Report, March 2013 www.tuas.fi

  15. What has happened in 2012IBM X-Force 2012 Trend and Risk Report, March 2013 www.tuas.fi

  16. What has happened in 2012Verizon Business 2013 Data Breach Investigation Report www.tuas.fi

  17. What has happened in 2012Verizon Business 2013 Data Breach Investigation Report www.tuas.fi

  18. What has happened in 2012Verizon Business 2013 Data Breach Investigation Report www.tuas.fi

  19. What has happened in 2012Symantec Internet Security Threat Report 2013 www.tuas.fi

  20. What has happened in 2012Symantec Internet Security Threat Report 2013 www.tuas.fi

  21. Preventing Crime and Misconduct in Business 2012 Finnish Chambers of Commerce and Helsinki Region Chamber of Commerce (EU Commission Recommendation 2003/361/EC) www.tuas.fi

  22. Preventing Crime and Misconduct in Business 2012 Finnish Chambers of Commerce and Helsinki Region Chamber of Commerce www.tuas.fi

  23. Preventing Crime and Misconduct in Business 2012 Finnish Chambers of Commerce and Helsinki Region Chamber of Commerce www.tuas.fi

More Related