We live in a digital age. Data is now a commodity, with companies holding large amounts of information on their customers, suppliers and employees. They have a duty of care to protect this information and yet a 2018 survey of IT executives found most organizations were only “moderately ready” to handle cybersecurity threats. In a twelve-month period, it is estimated 77% of businesses will deal with a data breach, costing industry over USD 1 trillion.
Malicious cyber-attacks are just one of the ways in which a company’s stored data can be accessed either unlawful or without authorization. Without adequate cybersecurity, systems can be at risk due to the behavior of employees, unsecured mobile devices, cloud storage applications, and third-party service providers. Breaches come in many forms – ransomware, malware, phishing, and denial of services – but their introduction into a company’s system can be as simple as an employee absentmindedly clicking on a link in a SPAM email.
The simple answer is everyone. It is estimated seven million data records are compromised every day. On average, a single data breach will affect 25K of records with an average cost of USD 3.26 million. A study by IBM has shown that the US is the most expensive country to have a data breach in and the most expensive industry is healthcare. In total, the US is top in terms of both data breaches and identity thefts, followed by South Korea for data breaches and France for identity theft. However, these figures need to be considered against the size of population, under which criterion the Netherlands and Sweden are disproportionately high in terms of data breaches. Obviously, there are concerted and targeted attacks on individual businesses, but what is clear from looking at the statistics is that poor cyber security, and the resulting data breaches, is something that affects all sorts of companies, of all sizes, and in all countries.
Victims and the systems being targeted can, at first glance, seem to be random. Research following a large data breach in the US found that hackers could easy control at least 55,000 internet-connected heating, ventilation, and air conditioning (HVAC) systems. Weak cybersecurity surrounding HVAC systems can be used to access other networks, by leapfrogging into the main corporate system. It is believed this route was used to steal data relating to 40-million credit and debit cards in the US. The hackers had previously gained access to the HVAC system by stealing the necessary login credentials from the third-party service provider of the retailer’s HVAC system. What may to many people seem to be completely unconnected – HVAC system to financial records – can be the ideal route for the hacker to steal data.
It is clear no industry is safe from these costly data breaches. Manufacturing, education, retail, the public sector, hospitality and finance all regularly report data breaches, but the single largest industry affected is healthcare. It is estimated one in eight US citizens will have their medical information exposed at some point, with the primary motivation being financial gain. The majority of these threats, 56%, are internal, with human error being the main cause of the leak.
Containing more than a dozen standards, the ISO/IEC 27001 family provides an adaptable framework for companies looking to manage the security of their assets, including financial information, intellectual property, employee details, and any other information entrusted to the company by third parties.
The standard is delivered in two parts:
• ISO/IEC 27001:2013 (Part 2) – formal standard specification for an Information Security Management System (ISMS), against which an organization seeking certification will be audited. It contains the mandatory requirements an organization must meet for certification. Which controls are relevant to the organization is decided following a comprehensive risk assessment.
• ISO/IEC 27002:2013 – good practices for securing information and related assets
These standards adhere to the Annex SL process model structure, which helps to reinforce the fact that, for all companies, information security management is a continuous process, and this aligns the standards with other ISO standards as well.
There is a six-stage certification process for ISO/IEC 27001 – tailored proposal, pre-audit, formal audit stage 1 and 2, surveillance visits to check the system, re-certification. Certification demonstrates that and organization is in compliance with requirements regarding the safeguarding and retrieval of records, secure keeping of test data, records of dealing with security incidents, protection of system audit tools, stature/training/independence of internal auditors and their access to senior management, information security procedure documentation.
This standard promotes the implementation of a coordinated and integrated information technology service management system (SMS). It enhances and organizations systems by highlight opportunities and promoting continuous improvements and greater efficiencies within the SMS. It achieves this by delivering better alignment between staff and procedure.
As with ISO/IEC 27001, the standard comes in two main parts:
• ISO 20000-1 – defines the requirements against which the organization will be assessed in relations to delivering managed services of an acceptable quality for stakeholders
• ISO 20000-2 – a Code of Practice that describe best practice for service management processes within the scope of ISO 20000-1
The adoption of both ISO/IEC 27001 and ISO/IEC 20000 will not only make a company’s IT security systems more robust; it will also demonstrate to employees, customers and other stakeholders that your organization takes IT service management seriously. As part of the suite of service management processes, one specifically alludes to information security, which in turn is made all the more effective by the standard. Other benefits of ISO 20000 certification include and effective way to deliver managed services, measure service levels and assess their performance, with a strong linkage to ITIL as well. You will assure clients that their service requirements are fulfilled, including information security. In a digital world, reputations can be made and lost by how seriously a company approaches the security of the information it holds.
SGS leads the way in helping organizations improve their cyber security. With targeted audit data from 604 companies, covering a six-year period, we understand where the major and minor nonconformities most commonly exist within a business.
In addition to certification and auditing services, we also offer a range of training courses to help organizations understand and implement ISO/IEC 27001 and ISO/IEC 20000: