Elaine Munro, BSI’s Head of Portfolio Management outlines the cybersecurity must-dos for business success
The impact on business for larger organisations has been well documented in recent times, and a greater understanding of information security has been reached. This is a matter of concern for businesses of all sizes and sectors being targeted by cyber criminals.
The risks to personal data has set off a wave of regulatory compliance with heavier penalties for personal data breaches in the UK. At the same time, there has been increased activity by the Information Commissioners Office (ICO) at a national level, the European Commission is proposing a major reform of EU data protection laws.
What can be done to help businesses to maintain trust, protect their reputations, and improve their bottom line?
Don’t be fooled
The first step starts with awareness and not being complacent to the problem, and don’t think size can exempt you from a breach, since targeting SME’s hackers can gain access to larger companies. Don’t leave yourself open and do not assume you are safe.
Know your enemy
Security threats come from a wide range of sources with most data breaches being caused by bad business practices. Poor physical security, lost memory sticks, non-password protected devices, unencrypted laptops and loose talk can contribute to breaches.
All businesses regardless of size must consider the risks to information and understand what they are trying to protect. So, are existing security measures effective? Have controls to mitigate identified risks been determined?
Get an ISMS
After identifying information security risks, the next step is knowing what to do and how to do it. This is where an ISMS or Information Security Management System such as ISO 27001 can help. It provides a framework to help identify and manage information security risks in a cost effective way, putting appropriate controls in place to help reduce the risk of security threats, and help prevent weaknesses in systems from being exploited.
Find your Achilles’ Heel
Research has shown that human error is now a leading cause of cyber breaches with trusted insiders playing a key role in many breaches. The most serious breaches are due to multiple failings in people, processes, procedures and technology. ISO 27001 addresses this by requiring organisations to ensure that all relevant personnel have undertaken security awareness training.
Encouraging staff to make their personal information security a natural part of their routines, can help businesses to secure corporate information too. Training and awareness activities alert staff of the importance of taking as much care with business information as they would their own personal information. Being vigilant when using devices or carrying paperwork on public transport and avoiding having confidential conversations in public are a couple of ways to protect data.
Be social media savvy
Social media is an inexpensive way of gathering information about people. It enables access to e-mail addresses, telephone numbers, location settings, and details of family and friends, if it is not properly secured. With this information, passwords become easier to crack as people tend to use things that are easy to remember. ISO 27001 includes controls around password use to ensure they are regularly changed and more difficult to break.
Get to grips with mobile devices
In their haste to adopt new technology and work practices, businesses sometimes overlook the inherent risks and fail to put appropriate security measures in place. Do you allow staff to bring their own devices to work, and access your network? Can you be confident that family members are not also using it? Are you aware of the malicious code being added to free apps downloaded onto mobile devices? If not, you need a policy in place for this. ISO 27001 features controls around authentication for external connections that can help.
Many businesses share sensitive information across and between organisations. If information is shared with a supplier, then the company would be failing in its duty of care if the supplier’s handling of that information was insecure. What information needs to be shared? What safeguards do they have in place to protect confidential data? ISO 27001 features controls around supplier relationships.
Security risks can take a variety of forms, encompassing everything from human error to malicious insiders, data loss or leakage to account or service hijacking. By requiring that, providers of your cloud services are ISO 27001 certified and operating in compliance with the Cloud Security Alliance (CSA) STAR certification requirements, businesses can reassure themselves that their cloud service provider has the appropriate security measures in place to protect customer data.
Head of Portfolio Management