Making excellence a habit
Published date: |
|
Modified date: |
|
Before the pandemic, 99% of organisations expected employees to be in the workplace at least 80% of the time. Post-pandemic, this figure has dropped to just 10%.
The hybrid working patterns developed during the pandemic are here to stay. 79% of business leaders predict that office working will never return to pre-pandemic levels. However, the flexible working model brings big challenges for information security.
At the same time, rates of data exfiltration have increased as employees moving to new jobs in the ‘great resignation’ take valuable company data with them.
How has hybrid working changed information security risks?
Working from home poses a number of challenges for employers. Employees are carrying out work tasks outside of company security firewalls, with less supervision and fewer technical controls. Devices and documents can be lost, viewed by others, or misused.
Almost half (45%) of IT leaders say they have seen an increase in employees taking company information with them as they move to a new company. At a time when record numbers of people are finding new jobs, this represents a significant risk.
There is no going back to pre-pandemic ways of working; organisations must adapt to the idea that individuals are a key part of security control, just as much as the environment created by the employer. A 2020 Verizon report found that 22% of all data breaches are caused by human error and ignorance.
Although hybrid working has become mainstream during the pandemic, many businesses are still doing so on an ad-hoc basis, rather than having developed policies and systems to reduce risk. More than two thirds (68%) of organisations have either no plan for hybrid working, or only a high-level one. Only 11% have a fully-developed vision which has been communicated and steps made towards implementation.
What is the potential cost to businesses?
The cost of data security breaches can be considerable, both directly and in terms of reputational damage. The damage can be significant enough to represent an existential threat.
In 2021, the average UK data breach cost rose from £2.85 million to £3.13 million. Compromised credentials were the most common cause of a breach, with an average cost of £3.22 million. Remote working increased the losses due to data breaches. In fact, the average loss was almost £790,000 higher where remote working was involved.
Around 80% of cyberattacks could be prevented using simple security controls such as firewalls, secure configuration, user access control, malware protection and ensuring software updates are completed.
How does ISO IEC 27002:2022 help?
The newly-revised international standard ISO IEC 27002:2022 Information Security, Cybersecurity and Privacy Protection – Information Security Controls provides guidance on the information security controls that you could use to protect your organization in this hybrid working environment,
In this new revision, the core purpose of the standard remains unchanged, but the structure of the standard has been altered significantly.
The revised standard is a reference handbook setting out a comprehensive list of security controls. The new revision helps organizations to ensure that no necessary control has been overlooked and that the guidance is consolidated into four key areas, making it easier to navigate the standard and adopt appropriate controls.
Reflecting the evolution of technology
The controls are organised into four pillars: organisational, people, physical, and technological. The number of security controls has been reduced from 114 to 93, as some controls have been merged with others or removed to represent current best practice.
The revised controls reflect the evolution of technologies and industrial practices, including threat intelligence, information security for use of cloud services and data leakage prevention. This will ensure that businesses are able to maintain continuous control over their information security, despite the nature of cyberattacks changing all the time.
Comparing the revised standard with the withdrawn edition
To help users of the previous 2013 version of the standard apply the 2022 updated advice, the new standard contains an annex that demonstrates how attributes can be used to create different views of the controls. In addition, another includes references to the 2013 control identifiers to provide backwards compatibility.
The standard helps with the identification, implementation and management of up-to-date security controls for organisations of any size or sector. Simplified and versatile, it allows you to select and scope your security controls to fit your individual needs.
Revisiting your security controls using the revised standard can ensure you follow the most appropriate and sustainable controls for the current environment.
Cybersecurity Solution Pack: all the standards and more.
For many businesses, implementing frameworks to improve cybersecurity practices can seem like an insurmountable challenge, not to mention a costly one.
The Cybersecurity Solution Pack includes the relevant standards (including ISO IEC 27002:2022) , plus comprehensive written and video guidance, to help you manage your organization’s data and information assets securely - all in one place.
For smaller and medium-sized enterprises, it’s a new way to significantly improve the security of their data and information, without the need for hiring expensive consultants.
If you buy ISO IEC 27002:2022, you will automatically receive BS EN ISO/IEC 27002:2022 when it becomes available.
Click here to provide feedback
You're seeing this article for free as
part of the Member Portal's public
article bank.
You can access Premium articles,
industry news, as well as the
Update Standards and Knowledge
Centre services by becoming a
BSI member.
All the services are updated
regularly, helping you get even
closer to industry experts and the
knowledge you need to do your job.
