Today's information security landscape and how to mitigate risk in your systems

Here's a staggering statistic: 90% of the data in the world has been created in the past 2 years.[1]

Why does this matter? That data needs to be protected, yet many organizations' systems are struggling to keep up.

Today's information security landscape is evolving at breakneck speed. Not only is the volume of data ever growing but so is the range of devices that can be networked, also known as the Internet of Things.

That means a greater potential for cyber-breaches and more far-reaching consequences if those breaches occur.   

BS EN ISO/IEC 27001:2017, Information technology – Security techniques – Information security management systems – Requirements, is a standard that guides organizations through the process of establishing, implementing, maintaining and continually improving an information security management system (ISMS).

By taking a risk management approach to the issue of information security, leaders can put their organization on a surer footing for the era of 'Big Data' and the Internet of Things.

Why you should implement a risk management system

A new BSI webinar, 'Mitigating risk in your QMS by protecting your information', outlines the current information security landscape.[2] It makes for a motivating and informative watch as it outlines the vast risks as well as the solutions.

It features research showing that some 82% of all CEOs list cyber-risks as one of their top three risk scenarios. They cite the main consequences of a security breach as business interruption (75%), reputational damage (59%) and breach of customer information (55%).

Other consequences identified include data or software damage, extortion or ransomware, liability to third parties resulting from a breach, disruption to industrial systems or other technology, and loss of intellectual property.

The cost to companies of this damage is huge: it is forecast to exceed $6bn worldwide by 2021.

Unsurprisingly, therefore, business leaders are prepared to pay to keep their organizations functioning smoothly and safely. Worldwide spending on products and services to counter cyber-risks was expected to reach $92bn in 2018.

Strangely, perhaps, the capacity to counter many risks already exists but is not always being used consistently or successfully.

Of all the recorded data breaches worldwide, just 4% were 'secure breaches' where data had been encrypted and therefore rendered useless.

Clearly, strategies and measures that are understood by everyone involved in data handling are crucial, as is the use of encryption technology.

However, such measures can feel like a 'never ending game of security whack-a-mole'[3] unless incorporated into a full ISMS.

What is an ISMS?

An ISMS ensures that policies, procedures, objectives, roles and responsibilities relating to cybersecurity are designed, developed and implemented together, with a view to guaranteeing an organization's overall cybersecurity.

It enables your company to comply with laws such as the EU GDPR by covering three key aspects of information protection.[4]

Firstly, confidentiality. A robust ISMS ensures that information is not disclosed to unauthorized people, entities or processes.

Secondly, integrity. The information available is accurate, complete and protected from corruption.

Finally, availability. The information must be accessible and usable by those who are authorized to use it.

BS EN ISO/IEC 27001:2017 provides a framework for this. Although business size, sector and requirements will shape the system, the standard can be applied to any type of organization and is compatible with other management system standards. 

Asked what the standard does for business, CEOs responded that it inspires trust in the business (80%), helps protect the business (71%) and reduces risk (70%).

Other benefits cited included helping the company comply with regulations, increasing its competitive edge and reducing the likelihood of mistakes.[5]

Establishing an ISMS

For many CEOs and business leaders, it's tempting to leave information security to the IT professionals.

Although the advice of technology experts is key at all stages of designing, implementing and monitoring the system, this is, however, not a job that can be delegated to junior levels or hived off to one particular function of a company.

A firm's ISMS must be integrated into the company at all levels, including the very top.

There are several pathways to establishing one, depending on time, budget and expertise. The standard specifies the different stages and relevant requirements, roles and responsibilities.

If you do decide you have the internal capacity to plan, design, implement and evaluate an ISMS, you will need to ensure full organizational support for those leading the project. 

Developing a security culture

Although robust systems and secure technology are key pillars, the human domain is also essential to the success of the ISMS.

Some 54% of workers are currently happy to use open WiFi networks in trusted locations, despite the dangers this presents.[6] This highlights the fact that many cyber-risks stem not from external sources but from a failure to foster a security culture at all levels of an organization.

Phishing emails, which often contain ransomware, are one common way to exploit employees' IT weaknesses. Data loss, accidental breaches and misuse of privileges can also be the cause of cyber-breaches.

Writing in TechBeacon, security expert Chris Romeo lists four defining features of a sustainable security culture.

1. It is deliberate and disruptive, with a set of actions to foster the change.
2. It is engaging and fun, so people want to rise to the challenge.
3. It is rewarding, so people can understand why it is worth their time and effort.
4. It provides a return on investment, lowering an organization's vulnerabilities and improving their offering.

IT author Luke Irwin further recommends ISMS training in staff induction programmes, followed by annual training thereafter.[7]

Remember that your ISMS can be accidentally compromised by third parties such as consultants. All those who have access to the data your company holds must be included in your IS risk management system.

BS EN ISO/IEC 27001:2017 can be used both to communicate the standards that your company upholds and to evaluate a potential partner organization to ensure that its security system and culture are effective.

Find out more

For more details on the information security landscape, watch the BSI webinar 'Mitigating risk in your QMS by protecting your information': https://www.youtube.com/watch?v=wWnkWlu7IgE

To develop your own organizational ISMS, buy the standard: https://shop.bsigroup.com/ProductDetail?pid=000000000030347472