Thankfully, today employees, managers and company boards generally recognise that information, data and cyber security is a business-critical issue. They may already have strategies to deal with it. Many companies are in the process of developing a robust information security management system, but a large number have still to take the first steps. Even for those organisations that believe they have matters in hand there are pitfalls. When a business’ survival is threatened by something less enigmatic than a cyberattack such as a dwindling customer base or rising costs, attention may be focussed away.
And that can be fateful. Why?
Because whatever the reason for a cyberattack, be it digital vandalism, extorting cash, stealing client details, espionage for commercial, industrial or political reasons or some other malicious purpose, the result will almost certainly be severe disruption requiring scarce resources to rectify.
The consequences can be economic, social or technical or a combination of all three. For example, an attack that demonstrates vulnerabilities in an information network requires technical measures to root out the problem and prevent it re-occurring. In some cases, the work involved can be so time consuming that it may be better to replace all affected equipment in order to ensure that the threat cannot be reactivated.
That was the solution a leading container line operator adopted following a ransomware attack. The company’s booking system being out of operation for some weeks resulted in a loss of revenue, reconfiguring the IT network required 4,000 servers 45,000 PCs and 2500 applications to be replaced. The total cost was put at something like $300 Million.
The reputational impact of successful attacks cannot be underestimated. Customers value the security of their data wherever it is stored and may well decide that organisations which cannot protect it are not worthy of their business and may switch to a competitor.
Being a very large company, the container line company relies enormously on its IT network for controlling bookings of tens of millions of containers and operation of almost a thousand ships. For a smaller company, the impact may not generate the same headlines, but even scaled down it could force a company out of business.
Everyone is a target
Today, every commercial organisations, not only ICT companies, are a likely targets. Even health schools and health services have been targeted. The latter is currently one of the most affected perhaps because the vast amount of personal data being held.
In August 2022, the UK’s National Health Service’s 111 emergency number was subjected to a ransomware attack. The 111 service is a back-up to the main health emergency 999 service for people needing less urgent medical assistance out of hours. The attack meant patients deprived of help and others were sent to general practitioners when they need not have been. This was not the first attack. In 2017, NHS had a ransomware attack by criminal gangs reported to have cost the over £20million.
The total cost
Most attacks originate online, often through phishing using email systems, compromised or stolen devices, like laptops or mobile devices, attached to a network. Even USB sticks can be a source. Around half (49%) of all organisations in a recent study reported being victim of a web-based attack, 43% mentioned phishing, 35% were affected by general malware and 26% by an SQL injection. This is a type of attack that infiltrates databases causing errors or even downloading the whole database to a hacker’s computer. Denials of service were experienced by one in five organisations.
Last year a global coalition of technology companies and law enforcement bodies including the FBI, Microsoft and Amazon was calling for "aggressive and urgent" action against ransomware. The Ransomware Task Force (RTF) says it has become a serious national security threat and public health and safety concern. It is having a huge impact on the economy and the ability for ordinary people to access critical services. Estimates indicate that the global cost of ransomware, including business interruption and ransom payments in 2020 alone, was somewhere between $42bn and $170bn. Although, the exact figure will never be known as many victims prefer to remain silent about the impacts on their operations.
Tightening your grip
With so much at stake it is not surprising that organisations are beginning to take action to reduce the risk. But for some it is difficult to know where to begin. Arguably the most sensible way to understand the actual risks picture, deploy means to prevent security breaches and processes to handle any incidents is to develop an information security management system compliant with international best practices such as ISO/IEC 27001, the most recognised standard for information security management systems.
It provides a structured framework for developing and implementing processes and security controls, ensuring management commitment and employee training, for example.
Many organisations already have quality, environmental or occupational health and safety management systems. The concept and approach are the same and the new version of ISO/IEC 27001 is aligned to ISO’s High Level Structure (HLS) to make integration easier.
Adding certification to ISO/IEC 27001 by an independent third party provides assurance internally and trust toward stakeholders that you have sound systems in place to manage information, data and cyber security risks.
Increasing competence - the key to a robust ISMS
Individuals are increasingly the critical entry point for and defence against information leaks cybercrime.
Managing information security in a fast-transforming environment
Cybercrime is constantly changing and with it means of attacking networks, stealing information or holding victims to ransom.
The road to success - a journey to ISMS certification
Unless an organisation is very new or is at an early stage of growth, it is highly probable that it has already implemented some form of management system such as quality control or environmental awareness.