All a little over the top but the sentiment is a reality. Cyber crime is a widespread topic of concern and recent findings suggest that companies should not only worry about threats from external sources but also the increasing risk of internal threats. Recently, Ray Woodford, UK Product Manager for ISO 27001 and ISO 22301 at SGS United Kingdom Limited, looked at how businesses can better educate their staff on information security and why it happens in the first place. The company is also one of a small number of certification bodies in the UK to achieve UKAS accreditation to certify companies to ISO 22301 – the standard designed to help organisations respond to such threats.
The reality with many of these concerns is that there is a human element to them. When an employee accidentally opens a social media scam or hushing email, in most situations (after panicking) his or her immediate reaction is to promptly close the link, discard of the evidence and breathe a sigh of relief that the problem has hopefully disappeared or been resolved. The chances are that some of you have probably fallen subject to this slip-up on at least one occasion and it may have seemed harmless at the time, but this type of incident can be a business's worst nightmare when it comes to keeping information secure. It is here that ISO 22301 certification can increase a company's resilience and recovery as well as improving the risk profile with clients, insurers and other stakeholders.
With more than 50% of the worst data breaches in 2015 (HM Government Information Security Breaches Survey 2015) being caused by inadvertent human error and at least 75% of large organisations suffering staff-related security breaches (up from 58% in 2014), it is not hard to see why untrained staff can be the biggest nightmare for companies. These sorts of incidents are increasing and are a demonstrable threat to business continuity.
When an employee carelessly clicks on an unsafe link it is rarely done in full knowledge of the consequences. When a dangerous email link is opened it can result in mal ware being downloaded onto the equipment. This then leaves the equipment/network open to a variety of attacks; from financial loss or data loss to extortion (e.g. Cryptolocker). In addition, a high proportion of cybercrime is known to occur due to partial involvement of a rogue insider or an ex-employee. But the worry is that employees don't recognise these as real threats.
A LogRhythm Survey revealed that 86% of UK consumers do not know what spearphishing is, while 40% of those have accidentally shared confidential information through clicking on suspicious links. Despite this, 66% of staff members do not receive any form of cyber security training. The disturbing reality is that if employees are not adequately trained then they are less likely to understand how to deal with or identify possible security breaches. Hackers can then exploit this vulnerability in order to infiltrate networks and open the door to an endless abyss of data. Many suppliers are now being asked for compliance with ISO 22301, particularly those working for government departments and multi-national corporations. The whole process of Business Continuity Management – identifying potential threats to an organisation and their impact – has taken on a new importance. Increasing numbers of organisations are now demanding evidence that their suppliers and business partners comply with information security management standards to protect themselves against cyber breaches. ISO 27001:2013 demonstrates the integrity of a company's systems and their ongoing commitment to information security. This gives both current and potential customers confidence that their data is safe and secure.
The focus is no longer on the latest software on the market, companies must now be proactive and invest more time in educating their staff about the issues at hand. Employees need to understand that they too have an individual role to play in keeping their company's information secure. Technology alone will not protect a company from an attack, particularly when outside threats are increasing as technology develops. Many cyber threats are now growing at a faster rate than the development of technology used to combat them. It is crucial for organisations to ensure that they have adequate information policies and procedures in place, along with a high level of staff awareness training, so that their employees are easily alerted to suspicious activity. Building a culture of information security throughout a company will help to reduce the risk of data breaches and minimise effects on assets and systems.
Ray Wood ford understands this is a difficult issue for many organisations to take on board.
"Recent cyber attacks on businesses have been wake up calls about information security policies and controls. Employees need to be aware, trained and diligent about their actions in the workplace. The right procedures, the right information and the right accreditation offers a real solution to the problem of individual employee errors."
There is real hope though as HMO Government Information Security Breaches Survey found that organisations with security policies and internal education programmes experience a third less breaches. Good news and more to come as the study confirmed that ISO 27001 – the Information Security Management Systems (ISMS) standard – remains the world's leading standard for security management. It provides a best practice framework to help manage and protect information by considering every risk critical to identify potential threats. Certification to ISO 27001 also ensures that companies are meeting regulatory obligations and that their processes and procedures are good enough to protect the information that is vital to their business.
Organisations are not swimming in the dark in terms of cybercrime as there is enough help out there from organisations such as SGS. To help mitigate the risk of internal threats by ignorant or unsuspecting employees, ISO 27001:2013 focuses equally on training and the role of leadership to drive communications down to all executive levels so that staff are constantly informed about new policies.
It is hardly surprising to realise that if an organisation experiences a data breach it can take them months or even years to recover and some companies fail to recover at all. Effective technology is a vital defence, but if employers continue to overlook the need for information security management and internal training, then hackers will continue to take advantage of their weakness and the likelihood of a cyber attack will increase.