by Jose Francisco Ruiz (Atos), Fady Copty (IBM) and Christos Tselios (Citrix)
Small to medium enterprises (SMEs) have benefited greatly from the digital revolution, but at the same time SMEs are particularly vulnerable to cyber-attacks. SMESEC is a cybersecurity framework designed specifically with SMEs in mind.
The digital revolution has benefited many businesses in Europe, creating opportunities and advantages, especially for small and medium enterprises (SMEs). Unfortunately, with this new paradigm, new problems have also appeared.
SMEs are an attractive target for malicious hackers. They have more digital assets and information than an individual, but less security than a large enterprise. Coupled with the fact that SMEs usually have no expertise or resources for cybersecurity, the outcome is a recipe for disaster. One study  found that 60 % of hacked SMEs go out of business because they do not know how to respond. Additionally, cybersecurity solutions are usually expensive for SMEs or do not provide a good solution for their needs. This problem is also a major inhibitor for start-up innovation in the EU. Cyber-security framework SMESEC [L1] aims to provide a solution that supports SMEs in these issues. The key pillars of SMESEC can be divided in three areas: i) to provide a state-of-the-art cybersecurity framework; ii) make the solution cost-effective and adaptive to SME needs; iii) offer cybersecurity awareness and training courses for SMEs.
The SMESEC use-cases offer great representative examples of the wide variety of SMEs that exist. These use-cases span different geographical locations, areas of innovation, SME size, organisational structure, and business models. Their main concerns about security solutions are maintaining security of their infrastructure, usability, cost, and privacy.
The SMESEC tools form a loosely coupled security framework. The main partners’ concerns are orchestration between tools and getting feedback from the customer base to drive development based on customers’ needs.
During the development of the SMESEC solution, we are continuously bearing in mind the need to provide a high degree of usability and automation, an adequate degree of cyber situational awareness and control for end-users, incorporating the “human factor” in the design process, and following existing relevant best practices and adoption of standards, tailored to SMEs and individuals. This strategy to cover both areas can be seen in Figure 1.
Figure 1. SMESEC Framework.
To respond to the above technical and business requirements we have conducted a comprehensive market search and requirement gathering from SMESEC use-case partners, and to meet the needs of each use case partner, an innovation process was established. The main innovation expected from the SMESEC Framework is the integration of different solutions working in an orchestral approach. Future innovation directions of the SMESEC tools were collected and prioritised according to five criteria: increasing simplicity of security tools, increase protection level, cost-effectiveness, support training and awareness, and increasing interconnection.
The functional requirements can be categorised into threat defence and security management. Under threat defence we identified: protect, detect, monitor, alert, respond, and discover requirements. Under security management we identified: assess security level, suggest improvements, evaluate risk and consequences, and assess criticality. The non-functional requirements identified were: modularity of development and deployment, usability, confidentiality, load scalability, multi-tenancy, and expansibility of the framework.
To answer these requirements and concerns we have proposed a new security concept that extends the standard definition of a security event of adversary attacks detected with the following events: lack of user training, requirements mismatch, standards non-compliance, and recommendations not met. This concept of security event allows a comprehensive end-to-end security solution to be built, that solves all SME security concerns in one single security centre of operation.
Owing to the ever-increasing number of SMEs willing to address cyber-security issues and establish certain safeguards and defensive countermeasures, the SMESEC project needs to follow a specific set of actions towards providing a holistic security framework. The first set of action points comprises a thorough ecosystem analysis, paired with the development of a strategy to assemble the various components contributed by different partners into a unified solution. Immediately after comes the deployment, integration, evaluation and implementation phase upon which the SMESEC Framework will be deployed, obtaining new tailor-made features.
Therefore, our main objectives are: (i) creation of an automated cyber-security assessment engine, capable of high level personalisation and intelligent vulnerability categorisation and analysis, (ii) the aforementioned automated cyber-security assessment, including user behaviour monitoring and reputation analysis, will offer feedback to SMEs and users for any type of vulnerability or improper behaviour of users, (iii) the alignment of the SMESEC innovations with international links and standardisation bodies will eliminate decoupling between security solution development and the state of the art, resulting in inexpensive and effective security recommendations.
SMESEC brings together a set of distinguished partners with award-winning products and excellent backgrounds in innovative ICT solutions and cyber security. This consortium aims to provide a complete security framework carefully adjusted on the peculiarities of SMEs. A framework of this nature is particularly relevant since it will reduce the capital, operational and maintenance expenditures of SMEs, allowing for greater growth and innovation in the EU.
Jose Francisco Ruiz