UK to pilot European cyber security services for SMEs

The UK will be one of the first countries to pilot a security industry-supported scheme to provide cyber security services for SMEs in Europe

The UK is to be one of the first countries to pilot a security industry-supported scheme to provide cyber security services for small and medium enterprises (SMEs) in Europe.

The co-ordinated cyber security taskforce and response (Costar) scheme, which has been in development for two years, is to begin pilot deployments in 2015.

The UK, the Netherlands and Belgium are slated for the first trials, according to the European association for e-identity and security (EEMA), one of about 10 security-related organisations backing the scheme.

“The UK will be one of the first countries to benefit from Costar in the proof-of-concept stage due to start in the coming months,” Jon Shamah, chairman of EEMA and Costar stalwart, told Computer Weekly.

The scheme will then be rolled out across EU member states country by country, starting in 2016.

The cost of data breaches for smaller businesses with fewer than 250 employees is between £65,000 and £115,000, according to the UK government’s latest Information Security Breaches Survey.

“A single cyber attack can have a severe impact on an SME as well as its customers and suppliers, which means often a whole supply chain can be affected,” said Shamah.

One-quarter of UK SMEs think cyber security is too expensive to implement and 22% admit they do not know where to start, according to research by the government’s Cyber Streetwise campaign.

Not-for-profit organisation

Costar is a not-for-profit organisation providing a managed security services programme for SMEs. It grew out of the first incubation project for developing new business to be initiated by the Trust in Digital Life Association (TDL).

TDL is also a not-for-profit organisation comprising security industry partners and knowledge institutes that believe trust and trustworthy services to be an essential ingredient of the digital economy.

“The traditional approach to security has been to create fear, uncertainty and doubt, but Costar seeks to build confidence, create opportunities and enable leadership,” Shamah told the Trust in the Digital World 2015 conference in Madrid.

“Costar is designed to provide pragmatic, practical, first-step help to SMEs by providing the resources available to most large organisations, but at a price SMEs can afford,” he said.

Read more about SME security

According to Shamah, Costar's mission is to help make European SMEs more resilient to cyber attacks by providing affordable managed cyber security services in all EU member states.

The scheme is aimed at addressing the cost of cyber security and the lack of knowledge about cyber threats, which are the top reasons cited for SMEs not having adequate defences in place.

Costar's activities include monitoring the health of SME infrastructure on subscriber devices and providing remedial action to assist subscribed SMEs that have been attacked.

While specialised support and help in getting operations back to normal will be available at additional cost, the cost of the basic service will be kept low through a high level of automation to deal with common attacks, said Shamah.

“The goal is to provide basic managed services at a cost of less than €5 per device per month,” he said. 

Unauthorised network activity

The monitoring service will be aimed at detecting unauthorised network activity. It will complement traditional virus scans and will fully comply with EU privacy regulations.

The plan is to provide all EU member states with native-speaking online helpdesk staff to offer immediate support to reduce the risk and damage of a cyber attack.

This will include help to clean up devices with secure software patches, where possible.

Costar will also provide training and awareness programmes for SMEs, will register and co-ordinate incidents reported by SMEs, and will collate cross-border evidence of cyber attacks to assist prosecutions.

The organisation will work closely with national computer emergency response teams, police and other service providers and will exchange data in compliance with privacy regulations.

This element of Costar is aimed at addressing the fact that most cyber attacks on SMEs currently go unreported to the authorities.

Shamah said awareness training is an important aspect of the Costar package because most SMEs are not aware of the risks they face.

EU authorities are concerned about the vulnerability of SMEs because they make up 99% of European businesses and employ two-thirds of Europe's workforce.

Lack of understanding

A lack of understanding of the threat posed by cyber crime is leaving SMEs vulnerable to losing information, profit and customers, according to the UK’s Cyber Streetwise campaign.

Research published by the campaign shows that SMEs are putting one-third of their revenue at risk because they are falling for some common misconceptions about cyber security.

Two-thirds of SMEs do not consider their business to be vulnerable, and just 16% say that improving their cyber security is a top priority for 2015.

More than a quarter of the SMEs polled believe that only companies that take payments online are at risk of cyber crime and 22% believe SMEs are not a target for hackers.

This is despite the fact that SMEs are proving to be a big target because they hold a lot of data useful to cyber criminals but typically lack the ability to keep that data safe.

James Lyne, global head of security research at Sophos and supporter of the Cyber Streetwise campaign, said: “SMEs are the UK’s engine of growth, but because cyber criminals know this, they are continuously looking at ways to exploit them.

“Small businesses hold a wealth of data, but many do not realise quite how valuable this data is and how severe the consequences could be if it fell into the wrong hands.”

Formal security policy

Only 20% of European SMEs have a formal security policy, said Christian Schnuck of the INUIT Foundation of the University of Rome Tor Vergata.

“Half of European SMEs either have no security policy or are not aware of the need for one,” he told the Trust in the Digital World 2015 conference.

In 2014, one-third of SMEs were hit by a cyber attack by someone outside their business, according to the Cyber Streetwise research.

Ed Vaizey, UK minister for the digital economy, said SMEs should look at the government’s cyber security guidance for help with protecting themselves.

This help includes free training courses in cyber crime protection under the Cyber Essentials scheme, and a guide tailored for smaller companies to help protect themselves against the most common issues.

“There are some simple steps firms can take to protect themselves, their cash flow and their data,” said Vaizey.

“I encourage all small and medium-sized firms to take these simple steps and fully benefit from our growing digital economy.”

Gaining accreditation under the Cyber Essential scheme enables businesses to display the Cyber Essentials badge to show their customers that they take cyber security seriously.

Read more on Hackers and cybercrime prevention