The last blog looked at business risk from an overall or general perspective, this week we’re digging deeper into a specific and increasingly pertinent aspect of risk; information security risk … and how to manage it.
It only takes a very quick Google to find that:
- 95% of all computer systems attacks arise from China where there are believed to be an astonishing 50,000 and 100,000 state sponsored hackers attacking IT systems in the West
- $600 billion, or 0.8 percent of global GDP, is the cost of global cybercrime, half of which then gets reinvested into further criminal activities
- In 2020 UK companies alone received fines amounting to over £155m for contravening GDPR legislation
Additionally, in just the last week, Facebook have been in the news again regarding a data leak, (which they suggest dates back to 2019) involving a hack of more than 530m records with data coming from over 106 countries.
These are the big numbers, but information security failure doesn’t have to be the result of systematically coordinated rogue state activities, information security failure can be far more mundane.
- One sole trader supplier to a client had £20k scammed from her account
- One very switched-on MD of a client lost £5k from a phishing operation
- Another client was hit by rogue software which sat in the back up destroying their data
- Another client had a disgruntled employee leave taking the companies client database with and them setting up in competition.
Whilst none of the above resulted in catastrophic failure they were all potentially avoidable with more robust security controls.
These threats come in multiple forms; viruses, spyware, worms, ransomware, phishing, malware, impersonation, denial of service attacks, malicious domains and others… and there’s more to follow… I recently heard of an IT company where the top team took a readily available photo of the top man and then with some clever use of IT, each of them appeared in a video conference with the top man … as that same top man! Welcome to the world of artificial intelligence and deepfakes.
So, these issues, and risks, come in many different shapes and sizes and these risks are rapidly creeping up the management agenda.
Information Security Risk Management
With the advent of worldwide interconnected IT systems, the rise of mobile working and working from home (WFH) all businesses have been exposed to completely new areas of risk that did not even exist just a few years ago.
One tried and tested method of protecting an organisation against information security loss is with the adoption of an information security management system like ISO 27001.
Risk management is central to ISO 27001 which asks you to identify sensitive or valuable information that requires protection, determine the various ways that data could be at risk, and implement controls to mitigate each risk. Risk includes any threat to data confidentiality, integrity or availability, and the standard provides a framework for choosing appropriate controls and processes.
However, before focusing solely on IT issues, remember that information security management issues may also need to attend to the more old-fashioned risks associated with issues like human error, staff security & in some cases even industrial espionage.
Information Security Management Standards
The first information security standard was originally published as a British Standard, by the British Standards Institution in 1995. It was snappily entitled BS 7799. 10 years later the standard was taken up, adopted and revised by ISO (International Standards Organisation). Since which time it has been through a number of revisions, the latest version being published in 2017. ISO 27001 is now the de facto standard for information security. The 27001 standard allows companies to adopt a framework which makes it easy to judge:
- The quality of the organisation’s own security defences
- The quality of security solutions offered by suppliers and partners
In doing so, it looks to ensure that the systems employed are capable of maintaining the confidentiality, integrity and availability of your hard-earned information.
In developing your systems, ISO 27001 asks you to consider the following aspects of information security relating to your company:
- Context of the organisation
- Leadership
- Planning
- Support
- Operation
- Performance evaluation
- Improvement
In addition, there is a more technically focused annex which details about 140 “controls” which may need to be addressed, some of which depending on the size and complexity of the organisation may or may not be relevant; it also allows you to add others should you need to. A checklist detailing these controls is available at the end of this article. These controls are grouped under the following headings:
- Information Security Policies — The ISMS policy needs to be written down and reviewed in line with the company’s overall strategy and security practices.
- Organisation for Information Security — This is about assigning responsibilities for specific tasks; who does what.
- Human Resource Security — Ensures employees understand their responsibilities for data security.
- Asset Management — This is about understanding the assets that the company has and that they are appropriately protected
- Access Controls — This covers both physical and digital access and ensures people can view only information relevant to their positions
- Cryptography — which is about, where required, encrypting data to ensure confidentiality and integrity.
- Physical and Environmental Security — which looks at preventing unauthorised physical access, damage or interference to premises or data, and controlling equipment to prevent loss, damage or theft of software, hardware and physical files
- Operations Security — Looks to ensure that day to day operational information processing facilities are secure
- Communications Security — For protecting information networks
- System Acquisition, Development, and Maintenance — Focuses on securing both internal systems and those that provide services over public networks
- Supplier Relationships — Addresses the proper management of contractual agreements with third parties, suppliers and contractors.
- Information Security Incident Management— Seeks to establish processes for the effective management and reporting of security incidents and breaches should they occur.
- Information Security Aspects of Business Continuity Management — The focus here is about minimalising business interruption. Incidentally, there is also a separate standard, ISO 22301 specific to Business Continuity Management and which goes into even more depth on this subject.
- Compliance — like ISO 14001, the environmental standard, and ISO 45001 the health and safety standard, 27001 requires the company to develop and maintain a register of relevant laws and regulations with which the company needs to comply.
The aim of an information security management system is to ensure the company and its people are aware of the part they play in the continuity of the business and to limit the damage to the business to an acceptable level by preventing and minimising the impact of security incidents.
If you’re interested in taking this further, we have developed the accompanying 10 step checklist which provides a plan for reviewing and improving the management of information security. The 10 stages are likely to fit most organisations, however, it should be recognised that the stages need to be seen in the light of the company’s exposure to information security issues; a construction company may be less likely to be information security dependant than a company producing say computer games, the detail of each stage therefore needs to be very much considered in the light of the activities undertaken.
To certify or not to certify; that is the question?
It is entirely possible to use the ISO 27001 framework as a vehicle for improving your systems and processes without the need for independent certification. However, should you wish to, there are number of UKAS approved certification bodies that will happily assess your systems and processes to provide you with an external, and independent, stamp of approval, which provides a number of significant advantages:
- It often opens up new commercial doors providing a marketing advantage
- It provides an independent unbiased view of your IT security arrangements
- It bolsters your image in the marketplace
- It provides for “worry free” trading relationships with clients and suppliers
… but the objective of the framework, and the biggest benefit, should be a significant reduction in both the chance and scale of a security breach.
Conclusion
Information is the new oil, and regardless of how it’s held, data security is more essential for long term success than ever.
Contenders for the number one spot in the Hall of Fame (or perhaps Shame) are increasing daily. Those with long memories will remember Melissa and the Love Bug, more recently it’s been Cambridge Analytica and Facebook. …but one thing is certain, these threats are unlikely to subside anytime soon.
Robust information security management generally, and ISO 27001 in particular, can be used to provide a valuable competitive edge. Using the standard’s requirements and controls, you’ll be able to establish, and continuously improve, your information security management systems, demonstrating your commitment to data security to partners and customers alike.
Related tools and ideas
Recommended references
- None
Downloadable resources
- 10 steps
- Controls listing (template statement of applicability)
- How to develop management systems that increase sales and bolster margins- TO DO
To find out how Statius can help you deliver:
• Better strategies
• Better systems
• Better measurement and
• Engaged people delivering
• Better results
Call us now on 0208 460 3345 or email sales@statius.co.uk
Comments are closed