• No results found

Cyber Security - What Would a Breach Really Mean for your Business?

N/A
N/A
Info
Download
Protected

Academic year: 2022

Share "Cyber Security - What Would a Breach Really Mean for your Business?"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

Cyber Security - What Would a Breach Really Mean for your Business?

August 2014

v1.0

(2)
(3)

3

Red Island Cyber Security - what would a breach really mean for your business?

August 2014 - v1.0

As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber security continues to rise.

Barely a week goes by without another high-profile cyber attack emerging, the latest seeing eBay asking its 233 million members to reset their passwords after a database was hacked earlier this year.

The latest World Economic Forum global risks report1 highlighted the scale of the threats posed by ranking cyber attacks in the top five likeliest risks to the world economy.

It warned the world “may be only one disruptive technology away from attackers gaining a runaway advantage”.

In the UK, research has suggested that the cost of cybercrime to businesses could already be in the order of £27 billion per year.

According to the Department for Business, Innovation and Skills’

(BIS) latest Information Security Breaches survey2, 93% of large organisations and 87% of smaller ones suffered a security breach in the last year.

The survey puts the average cost of breaches to a large organisation at £450,000 to £850,000 a year and £35,000 to

£65,000 for SMEs.

The nature of cyberspace means breaches can happen very rapidly and on a huge scale. Businesses and organisations are also facing threats from a wide range of cyber criminals from every corner of the globe.

As well as criminals looking to access confidential customer data, others are targeting intellectual property or looking to cause serious disruption to a business.

As developments such as smart-grids, mobile working and the internet of everything gather pace, the potential opportunities for cybercrime will also increase.

1 World Economic Global Risks Report http://www3.weforum.org/docs/WEF_Glo- balRisks_Report_2014.pdf

2 https://www.gov.uk/government/uploads/system/uploads/attachment_data/

file/200455/bis-13-p184-2013-information-security-breaches-survey-tech- nical-report.pdf

The storage of more data in the cloud and increased take up of services such as Office365 also raises questions about exactly where an organisation’s data is being stored and the different legislation which may apply to it.

IT IS VITAL TO SEE THE BIGGER PICTURE ON THE IMPACT OF BREACH

Much of the attention on cyber security focuses around the immediate consequences of being hacked, in terms of issues such as breaches of customer privacy.

But the ramifications for a business can be much wider. There is a growing number of incidents of systems being hacked to gain access to a company’s intellectual property, from product designs and formulations to sales databases.

As well as potentially falling foul of legislation covering data protection, there could also be serious regulatory consequences and penalties for companies which suffer data security breaches, particularly in sectors such as financial services.

The looming EU General Data Protection Regulations, which would force firms to give citizens the “right to be forgotten” by erasing all online records of their personal data, also raises the prospect of fines for non-compliance, which could run to 5% of turnover for each breach.

According to a recent survey commissioned by Trend Micro3, there is a worrying lack of awareness among senior IT decision makers in the UK about the proposed far-reaching regulations.

Although some 87% of those questioned in Germany were aware of the changes, that figure fell to just 50% in the UK.

In addition to legal and regulatory action, the damage to the reputation of a business from a breach of security could be catastrophic.

3 http://www.trendmicro.co.uk/newsroom/pr/half-of-uk-businesses-unaware-of- new-eu-data-laws/

(4)

Cyber Security - what would a breach really mean for your business?

August 2014 - v1.0 4 Red Island

A ROBUST INFORMATION SECURITY FRAMEWORK IS VITAL As the threats from cyber criminals become ever more

sophisticated, technology providers continue to develop new products and services to help organisations defend themselves.

But while advances in hardware and software have an important role to play, investment decisions can only be properly informed through having an effective information security framework in place.

As the nature of threats evolve and with greater regulatory demands, taking a reactive or piecemeal approach to cyber security is becoming increasingly unsustainable.

A robust framework will drive the policy and processes which enable organisations to take a proactive approach.

A risk-based approach also enables organisations to anticipate and plan for changes and developments in good time.

This was demonstrated in one of Red Island’s clients. A major organisation in the international energy sector was subject to an attack which affected a number of major energy companies. The effects of this cyber attack on all of the target companies was significant, however through having an ISO 27001 certificated system of prioritising security measures through a risk based approach and regularly monitoring the effectiveness of their prioritised security controls, Red Island’s client was able to implement processes and procedures which staff were already aware of and which the organisation had monitored and

measured to ensure they were fit for purpose. This allowed them to minimise the on-going impact of the cyber attack and meant that they were fully operational in a fraction of the time of other organisations who were subject to the same attack and did not have ISO 27001 certificated systems.

FOUNDATION ROLE OF ISO 27001

As the basic objective of ISO 27001 is to help establish and maintain an effective Information Security Management System (ISMS), it can provide a solid foundation for organisations to build a risk and governance framework and to manage technical security.

The process of working towards ISO 27001 helps organisations understand and manage information risks in a business context.

As well as protecting the business from loss or breach of information, it helps organisations take clear, informed and cost effective decisions on security controls and risk mitigation.

It also provides competitive advantage in an increasingly crowded marketplace. Many public and private sector tenders now demand suppliers hold ISO 27001.

(5)

Cyber Security - what would a breach really mean for your business?

August 2014 - v1.0 5 Red Island

ISO 27001 REVISION REFLECTS NEW CYBER SECURITY CHALLENGES

The growing issues surrounding cyber security are just one of the drivers behind a recent revision of the standard.

The new edition of the standard seeks to provide a more flexible and streamlined approach to promote more effective risk management.

The changes under the new standard represent a significant shift in approach. Greater flexibility is counterbalanced by an increased requirement from a risk treatment perspective.

Organisations have more freedom in terms of setting risks and identifying a narrow area of focus but they will have to have an effective rolling risk treatment plan in place.

PCI DSS AND CYBER SECURITY

Organisations that store, process or transmit payment card data must comply with the Payment Card Industry Data Security Standard (PCI DSS) which aims to tackle identity theft and online fraud.

PCI DSS, which was developed by the payment card industry, helps ensure safe handling of sensitive information by providing a framework for developing a process for preventing, detecting and reacting to data security incidents.

It sets out requirements for security management, policies, procedures, software design, network architecture and other critical protective measures.

By taking a risk-based approach to PCI DSS, Card Holder Data (CHD) can often be removed from IT environments, avoiding the risk of cyber security breaches.

UNDERSTANDING AND MANAGING RISK KEY PART OF CYBER SECURITY

Most organisations have risk policies and controls in place but unless information assets have been properly identified or classified, they could be vulnerable to breaches.

Understanding what information staff have access to, where it is, how it is held and transmitted and who owns it, is vital to assess the risks a business is exposed to.

A thorough risk assessment identifies information risk levels and enables implementation of the correct level of mitigation policy and control.

Given the growth in the use of outsourcing by many companies, a robust and independent assessment of current and future third party suppliers is also important to protect against potential risks.

Staff also have a crucial role to play in protecting against the threat of cyber crime.

The BIS Information Security Breaches report found that more than a third of the worst security breaches in the year were caused by inadvertent human error and a further 10% by deliberate misuse of systems by staff.

RED ISLAND CONSULTING AND CYBER SECURITY Red Island’s broad expertise across risk management, IT security and governance means we are uniquely placed to help organisations establish the processes and procedures in place to protect themselves.

Our work with many clients has demonstrated the value of our approach, often finding highly cost-effective and simple ways to significantly reduce the risk of security breaches. Ensuring clients have the right processes in place can often reduce the need for significant investment in technology.

(6)

Cyber Security - what would a breach really mean for your business?

August 2014 - v1.0 6 Red Island

We look to add value throughout the process rather than just offering tick-box auditing.

Red Island’s unique approach has also identified ‘quick-wins’ for many organisations to reduce both the risks and costs involved with PCI DSS.

Even in cases where companies are fully compliant, we can highlight where they are carrying unnecessary risk or spending more on audits than needed.

Our Third Party Information Assurance offering provides a robust and independent assessment of current and future third party suppliers to protect against potential risks. Services range from one-off third party risk assessments of a particular supplier or project through to a fully managed service, where suppliers are regularly audited based on risk classification, enabling clients to identify trends and potential issues.

Red Island has also developed an industry leading e-Learning course, which provides a highly effective way to raise security awareness among staff.

The interactive format encourages staff to become more aware about information security issues to reduce threats and breaches.

It also promotes positive security behaviour at work, whilst travelling and at home.

CONTACT US

For more information about how Red Island can help your organisation please call one of our team on +44 (0)20 7090 1091 or email info@redisland.co.uk

(7)
(8)

London Office:

8 Fenchurch Place London

EC3M 4AJ

Company Reg. No: 4419878

References

Download now ( PDF - 8 Page - 192.81 KB )

Related documents

White paper. Eight Steps to Going Mobile

In addition, when you are building your business based on automated field workers, the downtime from damaged devices or loss of data can quickly have a bigger impact than the cost

Data Analytics in Industry Research: A Personal Perspective*

IBM Research: Mobile, Solutions, and Mathematical Sciences 39 Research Research Prototype Deployment Valley of Death Valley of Death Horizontal Scaling Valley of Death Stochastic tree

Announces the Invitation for Applications and Nominations for

Sikes Education Center in Crestview serves the residents of north Okaloosa County with college credit and non-credit programs, adult basic education, college preparatory

Discovering the Common Good in Practice: The Catholicity of Catholic Charities

However my interest is not in the individual stance taken by each participant but rather in what happens when a diverse group of people communally and inclusively enact a

Impact of Routine Immunization Coverage in Controlling Measles and Progressing Toward the Introduction of Rubella Containing Vaccine: A Comparison Study Between Rwanda and Uganda

By conducting a comparison case control-study of Rwanda and Uganda, this research seeks to (1) determine which population characteristic has the most influence on vaccination

CITY COUNCIL MEETING DATE: 03/02/2021 AGENDA HEADING: Consent Calendar

It is the City Council’s policy that commitments of fund balance for a fiscal year must be adopted by resolution prior to fiscal year end. Amounts that have been

Host specificity and adaptation of Schistocephalus to its stickleback hosts

second parasite had a better chance of survival and better growth than the first parasite (Jäger & Schjørring, 2006), indicating some kind of facilitation by immune manipulation

A geometrically constrained multimodal approach for convolutive blind source separation

A novel constrained multimodal approach for convolutive blind source separation is presented which incorporates video information related to geometrical position of both the