SMEs are an attractive target for malicious hackers. They have more digital assets and information than an individual, but less security than a large enterprise. If we add that SMEs have usually no expertise or resources for cybersecurity, it is a recipe for disaster. Examples...
SMEs are an attractive target for malicious hackers. They have more digital assets and information than an individual, but less security than a large enterprise. If we add that SMEs have usually no expertise or resources for cybersecurity, it is a recipe for disaster. Examples can be found just by having a quick look at internet and checking news (and struggles) of SMEs against cyberattacks. Additionally, cybersecurity solutions are usually expensive for them or do not provide a good solution for their needs. This problem is also usually a major inhibitor for start-up innovation in the EU. In this situation, SMESEC aims to provide a solution that supports SMEs in these issues. The key pillars can be divided in three areas: i) to provide a cybersecurity framework with state-of-the-art; ii) make the solution cost-effective and adaptive to SME needs; iii) offer cybersecurity awareness and training courses available for SMEs.
As we developed the SMESEC solution we always bear in mind the need to provide high degree of usability and automation, adequate degree of cyber situational awareness and control for end-users, incorporating the “human factor†in the design process, and following existing relevant best practices and adoption of standards, tailored to SMEs and individuals.
Due to the constantly increasing number of SMEs willing to address cyber-security issues and establish certain safeguards and defensive countermeasures, the SMESEC project needs to follow a specific set of actions towards providing a holistic security framework. The first set of action points is no other than a thorough ecosystem analysis, paired with the design and development of activities aiming to assemble the various components partners contribute into a unified solution.
Therefore, our main objectives are: (i) creation of an automated cyber-security assessment engine, capable of high level personalization and intelligent vulnerability categorization and analysis, (ii) the aforementioned automated cyber-security assessment, including user behaviour monitoring and reputation analysis, will offer feedback to SMEs and users for any type of vulnerability or improper behaviour of users, (iii) the alignment of the SMESEC innovations with international links and standardization bodies will eliminate decoupling between security solution development and the state-of-the-art, resulting in inexpensive and effective security recommendations.
During this reporting period, the activities carried out per WP are briefly explain along the following lines:
WP1: Collecting requirements elicitation of the use cases, including letters of acceptance of the national data protection agencies of each country.
WP2: This WP has been ended at M6 and all objectives, have been fully achieved. The goal of the work package was to gain insight of SMEs security needs and structuring the SMESEC basic design directives by taking appropriate feedback from the consortium SMEs that are involved in the specification, design and implementation of the SMESEC pilots.
WP3: The main activity performed along the first year of the project was to properly define the SMESEC framework architecture, in terms of context, content, included patterns, composition elements and overall deployment actions including defining the context view, the concept view, the pattern view, the composition view, and the deployment view.
WP4: In this year the work has been focused in working towards preparing the pilots for the integration with the SMESEC Framework. The activities performed have been listed below:
• Preparing the pilots for the integration with the SMESEC Framework.
• All pilots are analysing the functionalities to be provided by the SMESEC Framework.
• Starting the deployment of an initial version of the pilot and integrating tools.
WP6: This first year was dedicated to design, set and implement the dissemination, exploitation & standardization plans (matching with the first three objectives of the WP).
• Plan for exploitation and standardization of the results of the project.
• Design and launching coherent and organized project dissemination plan.
• Plan and carry out a customized dissemination strategy for SMESEC.
• Engage SME end-user communities in the dissemination of the SMESEC project results.
• Website released at M6 and updated at M12.
The innovation done in SMESEC focuses in two different areas: on the one hand the innovations done in the tools provided by the partners and on the other hand the SMESEC Framework.
Regarding the tools, in the first year of the project we have performed an analysis of the current status of the market according to each technology of the tools. The areas we have identified are, among others: encryption, business continuity/disaster recovery, data loss prevention, governance, risk management and compliance, security information and event management, intrusion detection, etc. We are aware other areas exist also in the market but, due to the large list of areas of cybersecurity and their application, we preferred to focus in the ones we can support/improve in the project. Once we identified these areas we performed an analysis of the state of the art of different solutions that exist in the market in these areas. The analysis allowed us to identify gaps in the market both from the cybersecurity and functional point of view. This was the basis for studying how better we can fulfil the needs of SMEs in these areas. This have been very helpful to understand how SMESEC will contribute and improve the cybersecurity areas identified at the initial phase of the project. The study, process and results are described in D2.1 – SMESEC security characteristics description, security and market analysis report (Section 7).
The other pillar of innovation SMESEC brings is in the SMESEC Framework. The framework aims to provide a platform that provides many different cybersecurity tools for protecting, enhancing and creating businesses for SMEs. It was very important to know how we could achieve this for any type of SME, bearing in mind their constraints. They are very critical and need to be taken into account for the architecture and development, as they have an impact on it (e.g. as-a-service or on-premises tools, integration between the tools, etc.). In order to identify how to have a better impact and innovation in the project we started analysing the pilots of the project in terms of functionality, user experience, etc. Therefore, the areas we plan to focus for the SMESEC Framework are: simplicity (decrease usual complexity of cybersecurity tools), protection (offer protection similar or better than existing solutions in the market), cost-effectiveness (cost of the tools, functionalities and framework must be keep as low as possible, probably studying different strategies for its use), training and awareness (apart from technical aspects, SMESEC must offer also training and awareness strategies, material and courses to complement the cybersecurity solutions of the project), and interconnection (provide a good communication and interconnection of tools, both for existing ones and also have the possibility for adding new ones not included in the project). More information about innovation of the SMESEC Framework can be found in D3.1 – SMESEC System Design (Section 3).
More info: http://www.smesec.eu.