2016 will be remembered by many for some of the alarming cyber events that took place.
There were the allegations that the Russians may have influenced the US presidential campaigns through email interference.
Yahoo announced 500 million user accounts were stolen in 2013, endangering the terms of their acquisition negotiations with Verizon.
Outages of nearly 11 hours disrupted over 1 billion users worldwide in one of the largest cyber attacks in internet history. A DDoS attack on US DNS provider, Dyn, affected major sites including eBay, Twitter, Reddit, Spotify, and Amazon.
The attack was executed by taking over multiple hacked surveillance cameras, routers, DVRs, and other “connected” devices, and then using those devices for coordinated DDoS assaults. The incidents were attributed to malware, Mirai, and highlighted the vulnerabilities in IoT security.
It is fair to say that cyber attacks are getting bigger and bolder and are exploiting security weaknesses of organisations large and small, across all industries.
Whether a breach directly results in financial losses, damaged reputation or shareholder value – they all have a cost.
There can be few organisations not placing information security high on their list of 2017 priorities. Indeed, stats reflect cyber security spend continuing to rise.
However, more security spending doesn’t necessarily equate to higher protection!
An information security management plan for 2017
There is an abundance of excellent security solutions and tools on the market but what is essential, before committing funds, is a strategy. A plan is needed and a system for managing information security throughout the entire organisation and its employees.
Organisations should be thinking in terms of risk prevention and mitigation and understanding what the risks to their business are. They can then take proactive steps to detect and prevent them.
Amongst those risks will almost definitely be the legislative requirements of GDPR. The threat of fines of up to 4% of global turnover certainly means a compliance preparation plan will be needed. With only until May 2018 to effectively meet the requirements of GDPR, work needs to start now.
Where to start?
There is no need to re-invent the wheel.
Choosing whether to seek external accreditation to a standard is a commercial decision based on many factors, including competitive advantage or whether your customers and supply chain seek such assurances. What is becoming clear is that organisations are increasingly being asked not just to describe their information security management processes but to demonstrate them.
An externally audited ISO 27001 is verification of a demonstrable and effective ISMS.
Building or improving your ISMS now will allow you to integrate the compliance requirements of GDPR.
Don’t break that New Year’s resolution!
We know from our own and our customer’s experiences that implementing an information security management system is a significant undertaking.
Many have found it difficult to maintain momentum with their project as other business priorities emerge.
Others have tried to achieve what they hope will be shortcuts. Hiring somebody to do it for you or buying document toolkits simply get you a system that describes what should be done. In many cases, they include unactionable policies that do not reflect your way of working and can cause the project to stall after initial delivery.
That’s why we built a cloud software solution to manage the entire ISMS project. Following recognised frameworks and using actionable policies alongside the tools allow you to successfully manage the required processes and fully demonstrate an effective ISMS.
If there is one business critical New Year’s resolution that you should keep, it’s improving your information security management.
Discover how ISMS.online can help
Or visit www.isms.online for more information
Julia Heron is the ISMS Solutions Specialist for ISMS.online.