Setting up an Information Security Management System to ISO 27001 is no longer an IT decision. It is a corporate decision to safeguard all of your company's critical assets against the newest and largest criminal enterprise in the world.
We are All Connected to the Core
Are your organization’s critical systems, people, processes, information assets, intellectual property, customer data, client quotes, pricing, contracts, finances, sensitive emails/communications, and employee information connected to the internet in some way?
What a hilarious question, right?! Of course, EVERYTHING is connected and EVERYONE is connected. We all already knew that.
But, let’s add to that question with a few more:
-Do you know how this information is protected, encrypted, handled, processed, stored?
-Do you know which systems are handling, processing, storing, supporting these information assets?
-Do you know who touches that information, how much they touch that stuff, when they touch that stuff, who can manipulate the logs of that stuff, and who can give or grant MORE access to whom for that stuff?
Not a clue?
Those questions are funny, right?! Yes, but the answers to those questions will probably shock and haunt most CEOs, because they have no clue what the answers are.
If you are having trouble answering any of the above questions, it is time to ask yourself, “Should we really get ISO 27001 Certified?”
We will answer this at the end. But first, a bit of context...
$10.5 Trillion Context
It is estimated that, globally, cyber incidents, ransomware, breaches, etc., were expected to cost companies $6 trillion in 2021 and will inflict $10.5 trillion in damages due to by 2025, according to a recent report by Cybersecurity Ventures. This is an expected growth increase of 72% over 4 years!
ARORA Solutions' Top Cyber Threats To Learn About
Now, that you have feeling for the severity of the issue facing us all, let’s get a better understand of what threats are out there. The following is a short-list of some of the top cybersecurity issues and threats we are facing today in our organizations, around the globe:
1) Malicious Cyber Threat Actors
There are people sitting in their mom’s basement, government-sponsored threat actors in a Russian bunker, and cyber nomads living on some island in the Pacific profiting by exploiting your data and selling it on the dark web. This is the world we live in.
2) Gone Phishing
Your employees are the best at getting “phished”. Most people don’t know the difference between “fishing” and “phishing”. “Fishing” allows you to catch a bass and get a meal. “Phishing” allows you to catch a nasty case of malware and lose all your company’s intellectual property worth millions. This is why employee awareness education is the most critical element to any cyber defense playbook. “Spear phishing” and “social engineering” are other types of targeted ways nefarious threat actors can gain keys to your kingdom. Brush up on ways to mitigate these risks by being informed and at the level you need to be commensurate to your risk tolerance.
3) Malware from Unknown Universes
BYOD (bring-your-own-device) policies without adequate management and endpoint protection offer a host of issues. Getting a handle on who is accessing your network, from where and which device, is essential to saving your organizational assets. To add insult to injury, poor IT and endpoint management solutions, themselves, could be to blame. Recently, Kaseya VSA a major Software-as-a-Service (SaaS) utilized for remote access and endpoint device management had a major vulnerability in December 2021.
4) Ransomware Conundrum
This is a type of malware that encrypts your corporate data and requires payment for the decryption key, usually in the form of cryptocurrency. Paying helps support the Ransomware-as-a-Service cartels prosper. Not paying means you lose all of your critical data. Paying may also not result in getting your data back and/or you could still be subject to future or latent backdoor exploits. Proper training (on phishing specifically) and proper malware prevention tools are the keys here.
5) Do-it-Yourself Could Mean Doing it Wrong
Locally managed services, platforms and infrastructure, via on-premises ("on-prem") servers, are now fading into the ether. However, this is still not the case for many organizations. Microsoft had one major on-prem Exchange exploit effecting thousands of organizations back in March 2021. A post-authentication remote code execution (RCE) vulnerability in Exchange Server was detected by Microsoft Threat Intelligence Center (MSTIC) and attributed to HAFNIUM, a supposed state-sponsored hacking group based in mainland China. Microsoft 365 / Exchange did not have the same issues as on-prem versions because it was patched immediately. For those organizations with on-prem instances of Exchange, it required frantic patching efforts by IT teams around the world. Not everyone patched expediently and were exposed.
6) Loss of Control in the Cloud
In the past, organizations were managing their own physical servers and infrastructure. Now, we have moved to hybrid cloud or fully to the cloud Infrastructure-as-a-Service (IaaS), for the better. But, it is essential for all organizations jumping into the cloud to carry a parachute. Managed Services Providers (MSPs) can reduce risk by taking on some of the burden, as well as educating you how to configure, patch and monitor your infrastructure, networks, systems, and devices. Yet, it is still the responsibility of any organization to stay informed. Furthermore, orgs should adopt the principle of least privilege and only grant certain access to users on a need-to-know basis, for their specific role, function, and project, especially if critical customer or company data is being managed.
Information Insecurity vs Information Security
We know the threats are everywhere, and the costs are real. Yet, on a positive note, everything is manageable when you have a way to manage it, continuously improve it, and provide independent assurance to back it.
This way is developing an Information Security Management System (ISMS), defined within international standard, ISO 27001 with implementation guidance in ISO 27002.
By setting up an ISMS and an information security committee to govern it, top management, such as CEOs and Boards, can start to understand how these evolving vulnerabilities, threats, risks and disaster scenarios can be mitigated and managed. Setting up an ISMS will also serve to centralize efforts, gaining efficiencies, for your team's cyber security program and strategy.
Once you set up your Information Security Management System, then you can proceed to getting this independently verified by an internationally accredited Certification body (or conformity assessment body). This offers your customers, investors, partners, and suppliers a level of assurance that may one-hundred-fold surpass what you could offer them walking in off the street with a small IT team.
In Conclusion, Let’s answer the question: “Should we really get ISO 27001 Certified?”
Answer:
Yes and please do something to defend yourself against the largest criminal enterprise in the world. It’s cyber warfare out there. Consider your organization lucky if you haven’t yet been phished, socially engineered, hacked, ransomed, or been taken advantage of in another way. When this happens, not if, let’s hope that you are prepared and ready for it. Implementing an ISMS to ISO 27001 will help prepare you for the worst.
Now that you know the potential risks and the environment we are facing, it is up to you to get started!
About ARORA Solutions
ARORA Solutions is a human-centric auditing and technology company focused on delivering security, health and peace to people and organizations. We have a wide array of expertise in Information Security Management Systems consulting, auditing and implementation. Our track record of successful management systems audit and implementation deployments includes major companies in the information technology, consulting, healthcare, manufacturing, finance (Fintech), and food sectors.
We are committed to a sustainable world. Moreover, our company culture incorporates these four pillars in our day-to-day life, business and work:
Humans - With ethics, presence, honesty, and open ears
Security - For our data, information, privacy and safety
Health - For mind, body, the whole organism, the earth
Peace - For the world, assurance, integrity, integration, cohesion