Question: As a small firm, what can you do to prevent cybersecurity attacks and safeguard your data and critical assets? Hint: Give your data privacy and information security practices a check-up. Get your ISO 27001 certification.
According to Gartner, the volume of cyberattacks increased over 100% in Europe, East Asia, and Latin America in October and November 2020. Canada and Germany each saw a 250% increase. These numbers are incredibly high and inevitably cyber attacks are becoming more and more sophisticated and commonplace.
Cyber Security Breaches Survey -which is a very influential research study for UK cyber resilience tells us that of the 39% of UK businesses who identified an attack, the most common threat vector was phishing attempts (83%). Of the 39%, around one in five (21%) identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack.
Keep in mind that these attacks can be very costly for businesses of all sizes.
These studies beg the question: As a small business, what can you do to prevent cybersecurity attacks and safeguard your data and critical assets?
Hint: Give your data privacy and information security practices a check-up. Get your ISO 27001 certification.
Is information security management system essential for practising better cybersecurity?
It is important to recognise that an Information Security Management System (ISMS) that is certified to ISO/IEC 27001 will go beyond just demonstrating to customers and prospects that your organisation has the relevant controls in place to protect sensitive information.
It is actually a great way to achieve an operational and standardised wide approach to information security, complete with external validation from an accredited certification body. What’s not to like?
Several of the ISMS controls that are required to successfully certify to ISO 27001 are centred around asset discovery and inventory (things like end-user devices, software, and all types of IT hardware).
So, for a start, an ISMS will aid you in understanding your attack surface. Think of an attack surface as an end-to-end view of where an attacker could try to enter and exploit vulnerabilities in your organisations IT environment, such as software, or misconfigured cloud infrastructure. This can cause harm or highly impact the confidentially, integrity and availability of data.
ISO/IEC 27001: 2022 edition is here
With more focus on cloud-first organisations with remote workforces, the 2022 edition of ISO/IEC 27001 brings the standard into the modern way of working, with some entirely new security controls including Information security for use of cloud services and threat intelligence. It is great to see the introduction of these additional controls given that more than 80% of organisations have experienced a cloud-related security incident over the past 12-month period.
The release of the 2022 edition will trigger a three-year transition period to give those organisations already certified time to integrate these new themes and control areas.
What are some quick wins on how small firms can improve their Information Security Posture and succeed with a more end-user-based approach to cybersecurity?
1. Roll out engaging cybersecurity awareness programmes
Gamified and engaging cyber security awareness training programs will yield better results compared with your typical ‘mandatory’ employee training you ask your new hires to complete as part of their role onboarding.
Awareness training should speak to the user who is not familiar with lesser-known complexities of information security, and if you can categorise the training by job function, even better.
This way of thinking encapsulates the 2022 Cybersecurity awareness theme – see yourself In Cyber.
2. Level up your ongoing cybersecurity awareness with full-scale phishing simulation campaigns
Related to cyber security awareness programs, you should start getting creative with full-scale phishing simulation exercises.
Did you know that last quarter saw a record-shattering number of observed phishing attacks (more than 1 million in a single quarter)? Fuelled in large part by attempts to target users on their mobile devices.
Phishing attacks are becoming more difficult spot, with hackers adopting more sophisticated ways to exploit uneducated users within your organisation.
A great way to mitigate the risk of falling victim to a phishing attempt is to keep your users on their toes by conducting ongoing full scale phishing simulation exercises.
It goes something like this…
Imagine a scaled and controlled delivery of a phishing email (disguised as a legitimate business-related email) dropping into all your users’ mailboxes.
Those users who engage with the email - by clicking a link for example (serial clickers!) - will get notified by your phishing simulation solution to say that they have clicked on a suspicious-looking link (remember this is happening in a controlled way).
The user is then made to complete additional cyber awareness training, with a focus on how to spot, and how to report phishing attempts.
This usually happens when your users are on the go or distracted while scrolling through their inboxes on their mobile devices in a queue to get some coffee, or while sitting on a train on their way home from the office.
3. Practice and enable your teams on how to use strong passwords
You probably heard this a hundred times and maybe included more characters or numbers in your passwords. But it might not be good enough, even worse, so far in 2022, ‘123456’ made it to the top spot of the most commonly used passwords list.
Password managers are the way forward. If you use password managers (which are encrypted databases that use complex passwords) this will help you safeguard all passwords without having to remember them in your head.
You can generate very complex passwords -which are incredibly hard to memorise. Once you and your teams start using strong passwords, you have a much better chance to protect your organisation from data breaches.
4. Enable Multi-Factor Authentication (MFA)
Strong passwords alone are not enough and should always with paired with multi factor authentication (MFA).
To secure your online accounts and the sensitive data they contain, make sure you a have multi-factor authentication solution in place. When you use MFA, you can protect your account more than just using a username and password all while reducing your chance to get hacked.
5. Adopt an operational wide approach to cybersecurity by implementing an Information
ISO 27001 certification brings great benefits. It shows that your company has used the best practice information security methods and of course It helps you gain a competitive edge in the market and lowers the chance of a costly breach. It’s win-win!
Article originated in CPO Magazine
ISO News is an aggregator of global media. All the content is available free on the internet, we have just arranged it in one platform for educational purposes only. In each article, the hyperlink to the primary source is included. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – ISOnews713@gmail.com and the content will be deleted within 24 hours.