|
In an environment of growing concern over the global economy and business survival, one hot topic that features strongly in the boardroom is information security. Where do the mains threats come from? How can an organisation effectively protect data and keep spending within means? Where do standards fit into this?
The main threats to information security
In the 2011 *CMI survey into business continuity management, both malicious cyber attack and damage to corporate brand/reputation ranked more highly among the list of perceived threats to business than industrial action and pressure group protests.
The report also highlights that 32% of organisations were aware of being hit by a virus or malicious software attack. The figure including unknown attacks is almost certainly higher.
Information can be defined as anything from the main IT databases to a piece of paper containing the minutes of a meeting. Threats are categorised as technological or human in nature and can be internal or external in cause. Truly technological causes may be dealt with through effective business continuity e.g. back up servers and power supplies. The real challenge is dealing with the human factors; which can be anything from a direct hacking attack (external) to the loss of an important paper document or mobile electronic device (laptop, smartphone) by a member of staff (internal).
Many organisations can ill afford to implement every single available piece of hardware or software to protect themselves and are forced to choose. However a well worded email, opened by an employee, who then clicks on a link, is almost impossible to prevent using technology.
The CMI report also shows that the top six causes of loss are human factors. So how can business approach this ‘human’ challenge, without spending beyond the budget?
Globally recognised best practice
ISO 27001 is the international standard for information security management. The standard seeks to provide best practice in information security by providing organisations with a framework described as an information security management system (ISMS). A successfully implemented ISMS is instrumental in tackling the cultural issues surrounding information security and dealing with that all important human factor. By the end of 2009 nearly 13,000 organisations were certified to ISO 27001(**Official ISO survey).
Recent independent research conducted by the Rotterdam School of Management (RSM) demonstrates that the use of this international standard for information security management – ISO/IEC 27001 – is delivering effective protection for hundreds of organisations around the world. Over 640 organisations responded to the research survey, ranging from large multinational corporations to those with less than five employees. Organisations span a wide number of industry sectors and are based in countries on all continents.
How do information security management systems actually work?
In the RSM research 87% of the respondents reported that using ISO/IEC 27001 and its partner standard ISO/IEC 27002 (the code of practice supporting ISO/IEC 27001) had a positive or very positive impact on their organisation.
Some of the key results they had achieved included; an increase in the quality control of information security processes and procedures, a reduction in risk and an increase in both internal and external customer satisfaction.
Respondents whose organisation had certified to ISO/IEC 27001 were generally twice as likely to report benefits as those who had not. External customer satisfaction, competitive advantage and increased ability to respond to tenders were flagged as key additional benefits of certification. What was most noticeable was the hugely increased ability in certified organisations to measure and monitor activities and impacts (e.g. number of security incidents). Very few certified organisations gave ‘unknown’ responses. This compares to those who had barely commenced implementation where the majority would give ‘unknown’ responses.
In the majority of cases where organisations had used a top down approach to implementation; respondents reported that success was highly dependent on active, visible senior management buy-in. The choice of individual to actually do the implementation varied from one organisation to the next, but where choice was possible (sufficiently sized organisation), a manager within the IT department was favoured.
How can using these best practice standards help organisations save money?
One of the early steps in implementing the ISMS is to conduct a risk assessment (RA). The RA allows an organisation to identify where it feels its biggest risks are and for senior management to agree a particular appetite for risk when managing the outputs of the RA. An organisation can choose to simply accept a risk; mitigate a risk; neutralise or transfer a risk. How the risk is managed should always take in to account the impact and the likelihood of something occurring. Of course there will always be a financial threshold.
What about those all important human factors?
Embedding information security as part of business as usual and conducting training and awareness amongst staff at all levels are both key to success. Leading by example is important as is maintaining the momentum after the initial rush. The basics are often the most effective: tidy desk policy, effective password use (including minimising the number of passwords staff are required to remember), entry security and a requirement to display identification at all times. Internal games and competitions can be used to enthuse and engage staff.
Demonstrating the success of the ISMS, in the RSM research 60% of respondents reported that awareness of information security in their organisation was now high or very high. This figure rose to 75% within certified organisations.
Summary
In summary when you consider the research and the expert views, the biggest area of information security weakness in any organisation is its employees and most importantly their attitude and awareness. Taking simple steps to raise awareness and drive a culture of information security throughout the organisation does reduce the number of incidents.
Conducting a thorough risk assessment permits the careful targeting of spend in the most appropriate direction, rather than responding to gut instinct or pet passions of management.
Implementing an ISMS such as that described in the international standard ISO/IEC 27001 does provide a framework for success.
If you wish to see a full summary of the RSM report referred to in this article please email
Lorraine.King@BSIGroup.com
*CMI - http://tinyurl.com/6l5cwu5
**ISO - http://tinyurl.com/4qzmfk
|