Embed Size (px)
Citation preview
European Union Agency for Network and Information Security
Privacy, Security and SMEs: Drivers and BarriersDr. Prokopios Drogkaris | NIS OfficerCSA CEE Summit| Ljubljana| March 8th 2016
2
About ENISA
Dr. Prokopios Drogkaris | Privacy, Security & SMEs | CSA CEE Summit 2016
3
Positioning ENISA activities
Dr. Prokopios Drogkaris | Privacy, Security & SMEs | CSA CEE Summit 2016
4
• 60% of SMES had a security breach in 2014
• 82% of SMEs consider information security a high or very high priority, with 31% having as their main driver to protect their customer information
• 40% of SMEs do not have an information security policy
• 42% of SMEs do not plan to implement ISO 27001, while only 18% completely implement it
SMEs & Information Security
Dr. Prokopios Drogkaris | Privacy, Security & SMEs | CSA CEE Summit 2016
ENISA Activities
6
Cloud Security Risk Assessment
On line tool where you can:
• rate your opportunities from cloud
• rate your risks
• produce a risks map
• get your security questions
https://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing/security-for-smes/sme-guide-tool
7
• Determine the main drivers and barriers for SMES to adopt information security and privacy standards
• Elaborate recommendations for improving adoption rate of information security and privacy standards Present a collection of the existing information security and privacy standards
Standards Adoption Study
Dr. Prokopios Drogkaris | Privacy, Security & SMEs | CSA CEE Summit 2016
8
• SMEs comprise more than 99% of all European businesses
• They are becoming increasingly dependent on information systems and facing ICT security risks
• Limited resources and capabilities they need to allocate carefully
• Standards can help SMEs to improve their information security and privacy governance
Rationale
Dr. Prokopios Drogkaris | Privacy, Security & SMEs | CSA CEE Summit 2016
Key findingsDrivers and barriers to standard adoption
10
Drivers for standard adoption• Mitigating information security risks
• Increasing consumer trust
• Proactively demonstrating commitment towards regulatory compliance
• Achieving competitive advantage
Barriers for standard adoption• Knowledge and engagement
• Available capabilities and resources
• Implementation aspects
• Shortage of standards in specific areas
Dr. Prokopios Drogkaris | Privacy, Security & SMEs | CSA CEE Summit 2016
11
Barriers related to knowledge and engagement
• SMEs are in general not aware of the available standards.
• There are limited points of reference that SMEs can use.
• Management does not yet perceive clearly how implementing these standards adds business value.
• There is a prevailing perception that cyber-attacks are mainly threatening large enterprises.
Dr. Prokopios Drogkaris | Privacy, Security & SMEs | CSA CEE Summit 2016
12
Barriers related to available capabilities and resources
• In SMEs that assume the ICT function internally, there is limited resource dedication for ICT security.
• If the ICT function is outsourced, there are difficulties in the negotiation with providers on security features.
• Implementation can be demanding in terms of financial and human resources.
• Many SMEs do not have still a solid foundation on information security risk management.
Dr. Prokopios Drogkaris | Privacy, Security & SMEs | CSA CEE Summit 2016
13
Barriers related to implementation aspects
• Many statements of the standards are challenging for SMEs in order to clearly identify the tasks and activities.
• There is a lack of implementation guidelines.
• Standards rely on processes that might not yet be implemented in a small organization.
Barriers related to shortage in specific areas• There are few standards designed to assist SMEs towards
appropriate protection of personal data.
Dr. Prokopios Drogkaris | Privacy, Security & SMEs | CSA CEE Summit 2016
Recommendations
To improve the adoption of information security and privacy standards in small and medium enterprises
1515
Recommendations
01Increasing knowledge and engagement: Making SMEs more familiar with the standards that they can apply, as well as of the benefits they can obtain by implementing them.
02Driving adoption and compliance: Providing mechanisms to foster standard adoption by SMEs through certification and regulatory compliance.
03Facilitating implementation: Making standards more easily deployable by SMEs by adapting to their specific characteristics.
04Increasing capabilities: Increasing cybersecurity capabilities in SMEs in order to make them ready for standard adoption.
05Fostering cooperation: Creating a common strategy among stakeholders towards a global strategy for improving information security and privacy standardization for SMEs.
Dr. Prokopios Drogkaris | Privacy, Security & SMEs | CSA CEE Summit 2016
16
• Developing centralized catalogues with extended information of existing standards that are scalable for SMEs.
• Creating specific campaigns targeting SMEs on how standards can help them protect their core business assets and processes.
• Promoting the participation in the development process of SMEs coming from a variety of sectors.
Increasing knowledge and engagement
Dr. Prokopios Drogkaris | Privacy, Security & SMEs | CSA CEE Summit 2016
17
• Promoting the development of certification schemes targeted at SMEs.
• Promoting the establishment of voluntary reference standards that presume conformity with regulations.
• Enforcing standard compliance for contracts related to their information supply chain or to personal data handling.
Driving adoption and compliance
Dr. Prokopios Drogkaris | Privacy, Security & SMEs | CSA CEE Summit 2016
18
• Creating standards targeting specifically SMEs.
• Developing easy to follow implementation guidelines focusing on the scoping and initial stages.
• Incorporating maturity levels with different sets of requirements.
• Deploy security by default configurations to facilitate later standard adoption.
Facilitating implementation
Dr. Prokopios Drogkaris | Privacy, Security & SMEs | CSA CEE Summit 2016
19
• Designating an Information Security Officer to ensure ownership of the information security and data protection functions.
• Creating professional training programs to provide foundation training.
• Providing incentives to SMEs to adopt security and privacy standards.
Increasing capabilities
Dr. Prokopios Drogkaris | Privacy, Security & SMEs | CSA CEE Summit 2016
20
• Developing a harmonized plan to create information security and privacy standards specifically designed for SMEs.
Fostering cooperation
Dr. Prokopios Drogkaris | Privacy, Security & SMEs | CSA CEE Summit 2016
21
“
”
“
”21
2016 Follow Up Activity
Call for advisory group is open until end of March 2016
Framework on appropriate security measures for the
processing of personal data in small and medium
organizations
Dr. Prokopios Drogkaris | Privacy, Security & SMEs | CSA CEE Summit 2016
PO Box 1309, 710 01 Heraklion, Greece
Tel: +30 28 14 40 9710
www.enisa.europa.eu
Thank you
