Home Resources Blog June 2017

Why Information Security?

28 June 2017
Information Security has been brought to the forefront in recent times in the news. Our technical expert Chris Smith gives his view as to how an effective ISMS can play a significant role in keeping sensitive company information secure.

Information Security has been brought to the forefront in recent times more notably with the cyber-attack which crippled the NHS in the UK. However cyber-attacks are only a small piece of a larger puzzle with regards to protecting your information systems.

Information Security is broadly described by Wikipedia as; “the practice of preventing unauthorised access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical)”.

Your information or data doesn’t need to be electronic for it to be a valuable commodity for the unsavoury characters out there. A break in at your premises resulting in the physical theft of design drawings, employee files or commercial contracts has the potential to impose the same effect as a cyber-attack. The threat doesn’t stop there though. Awareness and staff training also plays a big part, if your employees don’t know how to handle information then they too could pose a risk to information security.

This is where an effective Information Security Management System (ISMS) can play a significant role. An ISMS manages sensitive company information in a systematic approach so that it remains secure. This can include IT systems, processes, people and infrastructure. The ISMS applies a risk management process to all aspects associated with information handling across the business to preserve the confidentiality, integrity and availability of information. 

Furthermore, many large corporate businesses and governments are making ISO 27001 a prerequisite for organizations wishing to enter into contract talks. ISO 27001 specifies a management system that brings Information Security under the direct control of top management. For example ISO 27001 requires management to:

  • Examine the information security risks associated with the organization, taking into account vulnerabilities, threats and the impacts these pose.

  • Develop and implement a system of information security controls. Adopt other forms of risk treatment to address the risks that are discovered. Whether this becomes risk avoidance or risk transfer.

  • Maintain an effective management process to ensure the ISMS continues to be relevant to the business needs.

So why is ISO 27001 important?

So why is ISO 27001 important and what benefits can implementation of the standard bring to an organization? Well not only do does it ensure that, as a business the security risks are managed in a cost-effective way but it also demonstrates to customer that the organization is serious, not only about the security of information but also with regards to doing things properly -  the correct way. This will provide a great deal of confidence with customers or business partners in the way the organization conducts its day to day business.

So what are the benefits? There are many, such as the examples listed below:

  • Keeps information secure
  • Demonstrates commitment to information security to interested parties
  • It is the de facto international standard for information security
  • Provides confidence for customers and stakeholders in regards to how risk is managed
  • Secure inter-operability between organizations
  • Ensuring legal obligations are met (e.g. Data Protection Act)
  • Competitive advantage
  • Enhanced customer satisfaction
  • Creates and maintains a security aware culture
  • Consistency of products or services
  • Protection of assets, the company, shareholders and top management.

Many of the advantages have been listed; however let’s look at a few more closely. A good example is the unique selling point or competitive advantage ISO 27001 brings especially if you handle sensitive client information. In ever competitive markets it can sometime be hard to differentiate between organizations at tender time an effective ISMS could be the “tick-in-the-box” that wins that next contract. 

ISO 27001 can bring in a methodology of compliance, and enable an organization to comply with various regulations regarding data protection, IT governance and privacy in an efficient way ensuring legal obligation s are met (Let us not forget the imminent arrival of the General Data Protection Regulations (GDPR) in May 2018). It can be one of the quickest and easiest ways to demonstrate the effective of the ISMS.

An ISMS can add clarity to the issues such as who is responsible for information assets, who has to make decisions regarding information security, who has access and authority to allow access to information systems.

It may be said that implementation of an ISMS comes at cost, and yes initially there is a financial cost and a great deal of time spent completing risk assessment, risk treatment plan etc. however the return on invest comes with if expenses are lowered by a lack of incidents for example the Information Commissioner Office (ICO) can impose a fine of up to £500,000 for serious breaches of the Data Protection Act (DPA). The ICO can also bring prosecutions including prison sentences if they deem there has been a deliberate breach of the DPA. As you can see, the consequences far outweigh the initial cost.

You may well think that Data breaches don’t happen to big companies? They have numerous security measures and can invest vast amounts on protecting their information? As the examples below show even big organizations can get caught out. After a brief search of the company websites it doesn’t appear that these companies have adopted ISO 27001 (Disclaimer: However this may not be the case).

Zomato (2017) - Provides users with an online guide to restaurants, cafes and clubs, reported that data from 17 million users had been stolen, including email addresses and hashed passwords.

NHS (2017) - The recent WannaCry ransomware infected 47 NHS England Trusts and hundreds of companies across the world.

Wonga (2017) - The payday loan company had a data breach that could have hit as many as 245,000 of its customers losing bank account numbers and sort codes.

Three (2017) - A major breach of Three’s customer upgrade database revealed over 200,000 customers had some form of data compromised.

Major Indian Banks (2016) - A major data breach was reported which affected SBI, HDFC Bank, ICCI, Yes Bank and Axis.  An estimated 3.2 million debit cards were compromised.

Anthem (2015) - 80 Million patient and employee records compromised costing Anthem well over $100 million.

Home Depot (2014) - 56 million credit card account and 53 million email addresses stolen. The data breach is reported to have cost the company $80 million after hackers had gained access to the company’s computer network using stolen account information from a vendor doing business with the hardware giant.

A recent survey of 250 organizations by IT Governance discovered that they had either implemented (40%), in the process of implementing (40%)  are thinking about implementing (20%) ISO 27001. Implementing an ISMS alongside other management system is easier than ever and the average cost is between £5,000 and £20,000 depending of the size of the organization.

So the big question is…Can you afford to be left out?