The major TalkTalk cyber-security breach of 2015 caused a media frenzy that made it difficult to ignore. So serious was their breaches' impact on customers personal data that it was also raised in the House of Commons, and subsequently led to an inquiry by The Culture, Media and Sports Committee.
The resulting Cyber Security Report was extensive and included, as a key area,
“ the adequacy of the supervisory, regulatory and enforcement regimes currently in place to ensure companies are responding sufficiently to cyber-crime”
Specifically, it looked at the Cyber Essentials scheme and concluded that Cyber Essentials is a good entry level to cyber-security but is not considered adequate for larger organisations or those handling large amounts of personal data. It also recommended that:
“Cyber Essentials should be regularly updated to take account of more recent attacks, including the need for security, incident management and recovery plans and processes for responding to cyber-ransom demands”.
It seems likely, therefore, that even the Cyber Essentials scheme will be widened for improved information security.
So what are the next steps towards improved information security management?
Without a doubt, the threat landscape is widening and, subsequently, the demand grows, from regulators, customers and the Executive Board, to demonstrate effective information security management.
Here are some of the key areas that may need consideration:
Incident management and response plan - if the recommendations from the report are followed it makes sense to start implementing policies and processes now if they are not already in place.
Risk management - including identification, analysis, evaluation and treatment. Within the report The Federation of Small Business (FSB) stated they support Cyber Essentials “but voiced a number of concerns, particularly concerning how it establishes and implements security controls without first identifying the assets, vulnerabilities and risks an organisation faces” - All experts would agree, it’s one of the key foundations for any ISMS.
Measurement, reviews and audits - whether concerned about regulatory fines, customer compensation, better insurance premiums or indeed CEO bonuses, it will be important for the C-Suite to demonstrate they are measuring the effectiveness of their cyber security plan.
Staff - still one of the biggest weaknesses in information security. How you recruit, induct, engage, train and exit employees all need to be part of your information security plan.
Supply chain management - if nothing else the changes introduced through EU GDPR mean organisations will need, by law, to have the right policies and procedures in place to ensure their chosen suppliers are compliant.
Continuous improvement - cyber attacks and vulnerabilities are on the increase and grow in their sophistication. Organisations must look to continually improve their information security management...standing still is not an option.
Of course, all these things should form part of a comprehensive information security management system (ISMS) and there is no time like the present to start tackling them.
Start building your ISMS now with online tools and frameworks
Build your ISMS, step-by-step, using a pre-built ISO 27001 framework which alleviates the administrative burden of set-up and enables you to progress at your own pace
Complete your gap analysis and easily report to key stakeholders on your implementation progress
Elevate risk management past the spreadsheet with UKAS accredited tools for your complete risk management process, together with pre-loaded associated policies
Assign and track security incidents with reporting and stats to feed in to management reviews
Set information security KPI’s, use a pre-built framework for management reviews and track corrective actions
Measure your suppliers against KPI's and manage contact and contract reviews
Manage your employee processes with pre-built frameworks for information security within the HR lifecycle.
Take a project approach to your ISMS implementation with collaboration, assigning, tasking and evidencing all taking place in one accessible and secure online solution.
And finally, when you are ready, seek external accreditation to clearly demonstrate your information security credentials.
With all the tools and frameworks for success it really couldn't be easier to build an integrated and effective ISMS!