The War on Cybercrime
IT Governance is a leading global provider of IT governance, risk management and compliance solutions, with a special focus on cyber security and cyber resilience, management systems (such as ISO 27001) and data protection. The company is a single-source provider of books, tools, training, technical testing and consultancy services, which combined make IT Governance a unique alternative to the traditional standalone consultancy firm, publishing house, penetration tester and training provider.
Evolving technology brings unprecedented threats
We firmly believe that the diverse range of services we provide are hugely advantageous in the modern business world. The rapid pace at which technology evolves can often be more of an obstacle than a benefit. Business leaders simply don’t have the time to keep up with this kind of change. While technological developments represent enormous opportunities and potential sources of efficiency for almost any organisation, these same new technologies have also brought unprecedented threats with them – such as the very serious risk of cyber-attacks.
Cyber security not a constant on the board agenda
Despite the ongoing threat of cybercrime, cyber security only makes the board’s agenda every few months in half of all organisations, according to CGI’s Cyber Security in the Boardroom report. Boards recognise the importance of strengthening their defences, but they are not proactive in addressing the issue and often don’t understand the core of the problem.
Furthermore, security leaders often provide feedback to the executive team in a language riddled with jargon. The IT department is famous for not being able to communicate effectively, often using acronyms that only lead to more confusion and, ultimately, a disconnect. Likewise, business leaders often tend to believe that technological matters are best left for the IT team to deal with, when the reality is that technology now impacts everything that we do. With this in mind, we believe that successful technology leaders are those who can talk about cyber security risks and their mitigating controls in business and financial terms that make sense to the executive team, engaging them and making them part of the solution.
Cybercrime no longer an IT problem
Cybercrime is no longer an IT problem, but affects almost every aspect of a business. Responsibility for attacks is increasingly being seen as a broader business issue, signalling a shift away from the chief information security officer (CISO) and the IT security team. Boards are also inclined to look to the CEO and executive team to take responsibility when a data breach happens. As the frequency and severity of cyber-attacks increase, cyber risk has become a more important priority for executives and is often listed as one of the top ten risks facing organisations.
66% believe leaders don’t perceive cyber security as a priority
As such, more and more needs to be done to raise awareness about cyber risk. A 2015 Raytheon and Ponemon Institute study of those with the day-to-day technical responsibility for cybersecurity – CIOs, CISOs, and senior IT leaders – found that 66% of respondents believe senior leaders don’t perceive cyber security as a priority.
Despite the three fundamental domains of effective cyber security being people, processes and technology, people are frequently left out of the equation. IT managers are usually more focused on protecting processes and technology than securing the easiest gateway into the company network: its employees. It just takes a single click on a malicious link in a phishing email to put the entire network at risk. An effective cyber security staff awareness training programme can help you identify security problems, educate your staff to be alert and vigilant, ensure that security procedures are well understood, and avoid falling victim to cyber-attacks.
Best practice framework for cyber risk management
IT Governance has long supported the international standard for information security, ISO/IEC 27001:2013, which provides a best-practice approach to cyber risk management. The standard provides guidelines for the implementation of a cost-effective and efficient information security management system that extends beyond technological measures to include people and processes – two critical areas that are often neglected when it comes to cyber security.
ISO 27001 is based on the logic that conducting regular risk assessments and implementing controls – on the basis of a business approach to risks – provide a robust, ongoing cyber defence. Achieving certification to ISO 27001 will help organisations to protect their data, comply with regulatory obligations, and assure customers and stakeholders that they are cyber secure.
Guidelines such as these are crucial if businesses want to be up to speed with the constant changes in technology. One of the most prevailing upcoming issues is the he General Data Protection Regulation (GDPR), which is a regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU).
Data breach reporting soon to become mandatory
The EU GDPR will transform the way in which personal information is collected, shared and used globally. All organisations will have changes to make: in policy, processes and contracts, as well as in technical and organisational compliance measures. Reporting on data breaches will become mandatory under the new EU GDPR, placing a bigger onus on organisations to ensure that their personally identifiable information is adequately protected. The EU GDPR encourages the adoption of certification schemes as a means to demonstrate compliance to regulators, customers, stakeholders and the public. Getting certified to ISO 27001 can help organisations achieve their compliance objectives and protect themselves.
What will the future hold?
Ultimately, cyber threats will continue to escalate both in frequency and in the scale of damage. The EU GDPR will oblige organisations to improve their cyber defences to avoid possible fines of up to €20 million or 4% of annual global turnover. Clients, shareholders and the public will demand greater reassurance that their data is being protected in an effective manner. Certification schemes like ISO 27001 will continue to gain popularity as a way of achieving this level of assurance.
Free white paper download: reduce your cyber risk with ISO 27001 http://www.itgovernance.co.uk/cyber-secure-with-iso27001.aspx
Company: IT Governance
Name: Alan Calder
Phone: 44 (0)845 070 1750