Information, data and cyber security risks – a structured approach to manage them

The landscape has drastically changed. Businesses are exposed to opportunistic information, data and cyber security attacks and these continue to proliferate. Unsurprisingly, how to manage this risk is rising on corporate and board agendas as they work to find ways to protect their assets, ensure business continuity, and build resilience and stakeholder trust.

Interconnectivity has grown exponentially. There are few businesses and organisations that do not rely on connectivity and digital technologies. Individuals and companies make billions of dollars’ worth of transactions routinely and it is hard to imagine modern life without an online presence. 

And that makes everyone a prime target for criminal activity by opportunists and organised crime syndicates. Personal information stored in databases gives access to credit card data, financial assets and intellectual property. It can be lifted without any physical risk to the criminal and such ransomware attacks can generate big pay outs from victims desperate to recover control of their networks.  

At the same time, businesses and organisations are judged not just on the quality of their products and services, as used to be the case. They are evaluated on how well they manage a wide range of topics such as safety, equality and diversity, environment and sustainability and also information security. Stock listed companies are subject to an ESG rating, covering all of the above and more.  

That is why organisations - to be attractive and deemed a success today - need to demonstrate a commitment to and governance of all of those aspects. Information security used to be considered applicable to ICT companies only. With everyone at risk and proof of governance increasingly becoming a requirement, how to tackle this topic is naturally rising on corporate and board agendas.

No one is immune from attacks

Individuals get taken for a few dollars from shelling out on fake offers through emails and social media. Governments, education services, health bodies and power networks get blackmailed into paying out huge sums of money to keep essential systems from being taken down. Commercial organisations have valuable assets stolen and ICT and communication service providers are high on the list of targets as they give a means of entry to organisations using their services.  

The thrust of attack has changed from individual hackers getting kicks out of infiltrating networks for the sheer fun of it through malicious disruption and on to criminal activities generating large sums of money from siphoning off small amounts from large numbers to demanding a big pay-off from a single entity.  

With so much at stake, all companies need to assess their risks picture and what type of threats and attacks to which they are vulnerable. In making that assessment companies also need to investigate how exposed they are to attacks emanating from their customers or suppliers and how any attack on their own systems could impact their value chain.  

While they still exist, the simple viruses and hacks of yesteryear may be the least complex to be handled today. Organisations are now in a race with cybercrime but are inevitably always one step behind. While they deal with defending against the last threat, activities are already evolving the next stage. 

Building business resilience and stakeholder trust

Every threat avoided can be a lesson learnt and knowledge used to develop and anticipate defences against attacks. However, information security management is about more than mitigating short-term risk. It is also about building long-term resilience. Putting in place a robust framework to identify, manage and mitigate risk will drive continual improvement, create structured governance and strengthen business continuity.   

An information security management system (ISMS) compliant with international best practices such as ISO/IEC 27001 helps any company understand the actual risks picture, deploy means to prevent security breaches and processes to handle any incidents. Moreover, it provides a structured framework for developing and implementing processes and security controls, ensuring management commitment and employee training, for example.  

While the development of an organisation’s ISMS will be the work of a smaller team. Involving all employees in the implementation is a prerequisite. Most attacks are initiated by a careless action by one staff member – clicking on a link in a phishing email, using an infected USB stick, setting a weak passwords or sharing it with a stranger. Such actions are rarely deliberate but can be detrimental. With proper training, it can be avoided but companies need to ensure that training is structured company-wide, involving all employees at all times. 

It is possible for an organisation to develop an information security management system against its own or the ISO/IEC 27001 standard, conducting own or second party audits to verify compliance. However, there is no way of independently demonstrating to customers and other stakeholders that the system is in place and working effectively. 

Certification to ISO/IEC 27001 provides independent proof that your information security management system complies with the standard’s requirements. It builds confidence internally and enables trusted publicising to customers, suppliers and other stakeholders that your information security management system has been assessed and found to do so by a third-party certification body. Certification also requires annual audits of the management system and evidence that it remains fit for purpose giving builds business resilience and stakeholder trust.