The CEN-CENELEC workshop on Functional Safety & Cybersecurity last March 16 brought together industry actors and European standardization development organizations. The engagement generated was successful and will be an integral part of the future standardization roadmap for cybersecurity.
I was invited to give a keynote speech on the perspective of SMEs on the subject, complementing the other keynote speakers that presented the perspective of corporations and that of the security vendors.
Cyber security – but information security in general – is a big challenge for smaller organizations. The community has still to agree on a shared definition of the subject: for some “Cyber” security only relates to cyber-physical systems like Industrial Control Systems and Infrastructures, for others everything connected in a network. What can be said is that cybersecurity is the part of information security that applies in cyberspace, the global worldwide interconnected network, and it’s not an issue for governments only. Common sense – and scientific results – tells us that high levels of security in a networked environment depends on all actors.
Cyber security is complex by itself for several reasons:
- Sheer technical complexity
- Wide range of threats (internal and external, malicious or involuntary, criminal and governmental)
- Economic effects (externalities, asymmetry of information)
- Complexity of cyber as a socio-technical system
It’s even harder for SMEs, due to their widespread lack of expertise and resources (both human and financial). A general lack of awareness of the security implications of IT systems, especially when extended to smart manufacturing compounds the danger, together with widespread use of private devices for business (BYOD). Most of the standardization frameworks are quite complex and hard to implement for SMEs.
Coupled with the other side of the matter – data protection and privacy – this represents a huge challenge for Small and Medium Enterprises, that can usefully be met by relying on cyber security external consultants and advisors, able to supply the skills needed to fill the gap, especially if the approach is not merely technological but organizational and economic as well.