Author: Luke Irwin

Organisations that adopted hybrid working during the pandemic have had to adjust many policies and processes, but one that they may have overlooked is their CIR (cyber incident response) plan. Before the pandemic, you could safely assume that most employees were based in the office and therefore a controlled environments. That made planning for disruptions comparatively straightforward: you knew where everyone was located, you had complete visibility over your threat landscape and you could communicate with everyone directly. But hybrid working complicates that. Although it comes with huge logistical and financial benefits – plus it makes employees happier – it

The post How to create a cyber incident response plan when you have a hybrid workforce appeared first on IT Governance UK Blog.

Read More How to create a cyber incident response plan when you have a hybrid workforce

Cyber security is becoming an expensive endeavour for organisations – and in many cases, the costs are so high that they can’t deal with threats appropriately. In fact, a Kaspersky report has found that only half of organisations have a dedicated IT security team, and only one in five has the tools to monitor and respond to cyber security incidents. This is despite increased data protection requirements, with the introduction of the likes of the GDPR (General Data Protection Regulation), and a growing number of cyber attacks, many of which have sparked high-profile debates about the importance of an effective

The post How to manage the growing costs of cyber security appeared first on IT Governance UK Blog.

Read More How to manage the growing costs of cyber security

When employees were asked to work from home at the start of the COVID-19 pandemic, some people struggled to adapt. Isolated from colleagues and lacking the structure of office life, it felt like it would be a long, tiring wait until working life returned to normal. But in the year and a half since, we have come to accept that remote working is here to stay – although perhaps not quite as prescriptively as before. A report published by Microsoft Surface and YouGov found that 87% of organisations have adopted hybrid working, in which employees divide their work time between

The post The compliance challenges of hybrid working appeared first on IT Governance UK Blog.

Read More The compliance challenges of hybrid working

Cloud computing has become an integral part of business, providing affordable and flexible options for organisations as they grow. But as Cloud services become more popular, they become increasingly lucrative targets for cyber criminals. If they’re not properly managed, they create a raft of vulnerabilities that can be exploited to great effect. This is particularly the case for MSPs (managed service providers), which often work with dozens, if not hundreds, of organisations. As a result, a single vulnerability could have far-reaching consequences. According to one report, a cyber attack on an MSP could result in $80 million (about £58 million)

The post Why MSPs must prioritise Cloud security appeared first on IT Governance UK Blog.

Read More Why MSPs must prioritise Cloud security

When it comes to the ideal post-pandemic work environment, employers and employees and have very different ideas. According to a Microsoft study, 73% of workers want to keep the flexible work arrangements created in response to COVID-19, and 67% want a return to in-person collaboration. The overlap in these figures suggests that there isn’t a clear divide between those who want to stay at home and those that want a return to the office. Rather, many people want a hybrid working option that gives them the benefits of both set ups. Depending on how hybrid working is implemented, this could

The post What are the cyber security challenges of hybrid working? appeared first on IT Governance UK Blog.

Read More What are the cyber security challenges of hybrid working?

The way Cloud service providers in the UK operate has changed dramatically in the past few years, thanks to a pair of regulations that took effect. The first – the EU GDPR (General Data Protection Regulation) – should be familiar to most, but you also need to understand the NIS Regulations (Network and Information Systems Regulations 2018). Both of these place an added emphasis on organisations’ ability to prevent data breaches and ensure that critical infrastructure remains operational in the event of a disruption. Streamlining compliance Both regulations contain a long list of requirements, many of which we discuss in

The post The benefits of NIS Regulations and the GDPR for Cloud service providers appeared first on IT Governance UK Blog.

Read More The benefits of NIS Regulations and the GDPR for Cloud service providers

Who will you call when your organisation has been compromised? Having a cyber incident response team ready to go can save your organisation from disaster. There’s no escaping the threat of cyber security incidents. Criminals are constantly poised to exploit vulnerabilities, and employees use complex IT systems where mistakes are bound to happen. Investing in cyber defences can reduce those risks, but organisations need to be ready for threats they can’t prevent. A CIR (cyber incident response) plan does just that, outlining strategies for identifying and responding to security breaches. An effective plan can quickly stop disruption from turning into

The post How to build a cyber security incident response team (CSIRT) appeared first on IT Governance UK Blog.

Read More How to build a cyber security incident response team (CSIRT)

Anyone with an interest in information security will have encountered ISO 27001, the international standard that describes best practice for an ISMS (information security management system). However, you might not be as familiar with ISO 27002. It’s a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001. Although ISO 27001 is the more well-known standard – and the one that organisations certify to – neither can be considered in isolation. This blog explains why that’s the case, helping you understand how each standard works and the differences between them. What

The post ISO 27001 vs. ISO 27002: What’s the difference? appeared first on IT Governance UK Blog.

Read More ISO 27001 vs. ISO 27002: What’s the difference?

People are the weakest part of any organisation’s security defences. You can spend months designing flawless processes and investing in state-of-the-art technology, but these both only work if the people using them know what they’re doing. That’s why information security policies are among the most crucial element of an organisation’s defence. They contain a list of instructions for staff to follow in various scenarios and cover a range of topics, such as acceptable passwords and how often to back up data. What do information security policies do? Information security policies are usually the result of risk assessments, in which vulnerabilities

The post What is an information security policy? appeared first on IT Governance UK Blog.

Read More What is an information security policy?

The threat of cyber security incidents looms over all organisations. There are simply too many things that can go wrong – whether it’s a cyber attack, a technical malfunction or another delay – to assume that operations will always be functional. And when disaster strikes, time is of the essence. The longer it takes to respond, the more likely it is the costs will escalate. That’s why it’s essential to have an incident response plan. By preparing for the inevitable, you can act quickly to identify and mitigate the damage. In this blog, we look at five ways you can

The post 5 tips for incident response management success appeared first on IT Governance UK Blog.

Read More 5 tips for incident response management success

Cyber security affects companies of all sizes in all sectors. Moreover, threats are constantly evolving and your legal and regulatory requirements have become major issues – particularly with the introduction of the the GDPR (General Data Protection Regulation) and NIS Directive. All of this means that regular communication between management and the board regarding cyber security is more important than ever. It’s only by discussing these issues regularly and in a formal environment that you can protect your sensitive data and company interests. As you have probably seen, failure to do that could result in staggering financial penalties. So how should

The post 12 cyber security questions to ask your CISO appeared first on IT Governance UK Blog.

Read More 12 cyber security questions to ask your CISO

As organisations prepare for what life looks like in a post-pandemic world, one of the many issues they’ll have to address is IT security for home workers. A remote workforce comes with myriad dangers, with employees relying on their home networks – and sometimes their own devices – to complete tasks. And you better hope they have technical skills, because should they experience any technical issues, there’s only so much your IT team can do to help. According to the Velocity Smart Technology Market Research Report 2021, 70% of remote workers said they had experienced IT problems during the pandemic,

The post The cyber security risks of working from home appeared first on IT Governance UK Blog.

Read More The cyber security risks of working from home

Welcome to our first quarterly review of cyber attacks and data breaches. For several years, we’ve produced a monthly list of security incidents, comprised of publicly disclosed breaches from mainstream publications. At the start of 2021, we decided to expand our research to learn more about the organisations that are being breached and how they were falling victim. We’ll present our findings at the end of each quarter, providing key statistics and observations. This includes year-on-year comparisons in the number of incidents that were detected, a review of the most frequently breached sectors and a running total of incidents for

The post Data breaches and cyber attacks quarterly review: Q1 2021 appeared first on IT Governance UK Blog.

Read More Data breaches and cyber attacks quarterly review: Q1 2021

Too often, organisations fall into the trap of thinking that cyber security is only about preventing data breaches. Their budget is dedicated to anti-malware software, firewalls, staff awareness training and a host of other tools designed to prevent sensitive information falling into the wrong people’s hands. But what happens when those defences fail? It’s a question all organisations must ask themselves, because even the most resilient systems can be compromised. You can’t assume that an employee who has taken a training course will never make a mistake, or that a trusted third party won’t have a misconfigured database. Data breaches

The post Would you know if your organisation had suffered a data breach? appeared first on IT Governance UK Blog.

Read More Would you know if your organisation had suffered a data breach?

So, your computer screen has been hijacked by ransomware and the criminals behind the attack are demanding money to return your systems. Now what? That’s a question countless organisations are asking themselves nowadays, with attacks increasing and, according to Mimecast’s The State of Email Security Report 2020, organisations suffering three days of downtime on average following a ransomware attack. The problem often stem from a malicious attachment contained within a phishing email. If an employee opens it, the malware will spread rapidly through the organisation’s systems locking you out of your files. When this happens, many victims feel obliged to

The post How to protect your organisation after a ransomware attack appeared first on IT Governance UK Blog.

Read More How to protect your organisation after a ransomware attack

It’s been rough sailing for organisations in the past year or so. In addition to the ongoing challenges of COVID-19, there are the effects of Brexit, increasing public awareness of privacy rights and regulatory pressure to improve data protection practices. And, of course, there is the threat of cyber attacks. According to a UK government survey, 39% of UK businesses came under attack in the first quarter of 2021, with many incidents causing significant damage. The specific costs will depend on the sophistication of the attack and how well executed it was. For example, a DDoS (distributed denial-of-service) attack could

The post The cost of a cyber attack in 2021 appeared first on IT Governance UK Blog.

Read More The cost of a cyber attack in 2021

The UK data protection landscape is a lot more complex following Brexit. Many organisations are now subject to both the EU GDPR (General Data Protection Regulation) and the UK GDPR (General Data Protection). The UK version was born out of the EU GDPR, so you might think that there are only cosmetic differences and that minor actions are required to adjust your documentation and compliance practices. Unfortunately, it’s not that straightforward. If you haven’t done so already, you must ensure that your data protection policies and procedures account for both sets of requirements. In this blog, we look at some

The post Updating your data protection documentation following Brexit appeared first on IT Governance UK Blog.

Read More Updating your data protection documentation following Brexit

Cyber criminals have many tricks up their sleeves when it comes to compromising sensitive data. They don’t always rely on system vulnerabilities and sophisticated hacks; they’re just as likely to target an organisation’s employees. The attack methods they use to do this are known as social engineering. In this blog, we explain how social engineering works, look at common techniques and show you how to avoid social engineering scams. Contents What is social engineering? Why social engineering works Common social engineering techniques How to protect yourself from social engineering What is social engineering? Social engineering is a collective term for

The post How to avoid social engineering scams appeared first on IT Governance UK Blog.

Read More How to avoid social engineering scams

Cyber Essentials is one of the most cost-effective ways of bolstering your organisation’s information security. The UK government-backed scheme is designed to help organisations address common weaknesses without having to spend a fortune overhauling their cyber security practices. In this blog, we explain the costs involved in Cyber Essentials certification, including consultancy fees, renewal and advancing to Cyber Essentials Plus. The cost of Cyber Essentials IASME, the certification body that oversees Cyber Essentials certification, charges £300 plus VAT for an assessment. However, organisations must also factor in the costs of preparing for the assessment and aligning their practices with the

The post How Much Does Cyber Essentials Cost in 2021? appeared first on IT Governance UK Blog.

Read More How Much Does Cyber Essentials Cost in 2021?

If you’re a small business owner, cyber security might seem impossibly complicated and filled with endless pitfalls. There’s indeed a lot at stake – with ineffective security measures potentially threatening your productivity, your bank accounts, and your employees’ and third parties’ personal data. But fortunately, the path to effective security needn’t be difficult. In this blog, we explain you need to know about cyber security for small businesses. Why cyber security presents unique risks for SMEs The difficulties that small businesses face when addressing cyber risks can be separated into financial costs of the incident itself and the costs involved

The post Small business cyber security: the ultimate guide appeared first on IT Governance UK Blog.

Read More Small business cyber security: the ultimate guide

As you start your ISO 27001 implementation project, you probably want to know about much as possible. Some people attend training courses to pick up the knowledge of ISO 27001, and others go one step further, hiring an ISO 27001 consultant to guide them through the process. Those are both excellent options for those with the time and budget, but what if you’re looking for a less expensive approach? In those cases, you can never underestimate the influence of a book. Indeed, most information security professionals begin their journeys by picking up a book or two on ISO 27001, because

The post 3 must-read books on ISO 27001 appeared first on IT Governance UK Blog.

Read More 3 must-read books on ISO 27001

Organisations that implement ISO 27001 must write a secure development policy. The requirements for doing this are outlined in Annex A.14 of the Standard: System acquisition, development and maintenance. In this blog, we explain how you can use ISO 27001’s guidelines to create your policy, and take a look at some of the controls you should implement. What is a secure development policy? A secure development policy is a set of rules that help organisations mitigate the risk of security vulnerabilities in development environments – i.e. the workspaces where organisations make changes to software and web applications without affecting the

The post How to create an ISO 27001 secure development policy – with template appeared first on IT Governance UK Blog.

Read More How to create an ISO 27001 secure development policy – with template

Protecting your organisation against cyber attacks can sometimes feel like a never-ending game of security whack-a-mole. As soon as you’ve secured one weakness, another one appears. This can demoralise any organisation and make them believe that good information security practices are impossible. However, there is a solution – but it requires a different way of thinking. Organisations must stop looking at each individual threat as it arises and instead build defences that are equipped to handle whatever cyber criminals throw at you. Doing that is simpler than it sounds. That’s because, as much as cyber criminals’ tactics evolve, they tend

The post 5 ways to improve your information security in 2021 appeared first on IT Governance UK Blog.

Read More 5 ways to improve your information security in 2021

If your marketing agency is under the impression that cyber security is strictly an IT issue, you should think again. Effective security is a company-wide commitment, and marketers play one of the most crucial roles. Consider how much personal data you collect; if that information is lost or stolen, it will severely damage your customer relationships. In fact, a Ping Identity survey found that 78% of people would stop using an organisation’s online services if it had experienced a breach. So, what should marketing agencies do to reduce the risk of cyber attacks and protect their reputation? Here are our

The post A guide to cyber security for marketing agencies appeared first on IT Governance UK Blog.

Read More A guide to cyber security for marketing agencies

In 2020, we recorded 1,120 breaches and cyber attacks that were reported on in mainstream media, which accounted for 20,120,074,547 leaked records. Compiling this information enables us to see how security incidents occur and the trends to look out for. Did you know, for example, that the number of disclosed incidents shot up in the second half of the year, showing the impact that COVID-19 has had on organisations? Or that there was a 50% increase in breached records compared to 2019? In this blog, we take a closer look at this data. You can also find a summary in

The post 2020 cyber security statistics appeared first on IT Governance UK Blog.

Read More 2020 cyber security statistics

Denial-of-service (DoS) attacks are intended to shut down or severely disrupt an organisation’s systems. Unlike most cyber attacks, the goal isn’t to steal sensitive information but to frustrate the victim by knocking their website offline. The criminal hacker therefore doesn’t profit from the attack, but the loss of service can cost the victim up to £35,000. Why would an attacker be interested in doing this? Typically, it’s because they hold a grudge against the target – many DoS attacks are politically motivated – although some attacks are used to distract the victim as the attacker launches a more sophisticated attack

The post What is a DoS (denial-of-service) attack? appeared first on IT Governance UK Blog.

Read More What is a DoS (denial-of-service) attack?

We’re not going to lie: implementing an ISO 27001-compliant ISMS (information security management system) can be a challenge. But as the saying goes, nothing worth having comes easy, and ISO 27001 is definitely worth having. If you’re just getting started with ISO 27001, we’ve compiled this 9 step implementation checklist to help you along the way. Step 1: Assemble an implementation team Your first task is to appoint a project leader to oversee the implementation of the ISMS. They should have a well-rounded knowledge of information security as well as the authority to lead a team and give orders to

The post ISO 27001 checklist: a step-by-step guide to implementation appeared first on IT Governance UK Blog.

Read More ISO 27001 checklist: a step-by-step guide to implementation

Cyber security risk assessments are essential for organisations to protect themselves from malicious attacks and data breaches. After all, it’s only once you’re aware of the ways you’re vulnerable that you can put appropriate defences in place. But what exactly does a risk assessment do? Essentially, it helps you answer these three questions: Under what scenarios is your organisation under threat? How damaging would each of these scenarios be? How likely is it that these scenarios will occur? To complete a risk assessment, you must give each scenario that you identify a ‘risk score’ based on its potential damage and

The post A brief guide to cyber security risk assessments appeared first on IT Governance UK Blog.

Read More A brief guide to cyber security risk assessments

If there’s one certainty about cyber crime, it’s that criminals are always looking to acquire sensitive data. Whether you’re a small e-tailer with a handful of employees or a multinational, you must take steps to protect the valuable information you collect. In that regard, e-commerce is no different to a physical store that has CCTV cameras to monitor theft and security guards to catch shoplifters. But what is the cyber security equivalent, and what are the threats you need to look out for? We explain everything you need to know in this blog. What are the threats to e-commerce businesses?

The post A guide to cyber security for e-commerce businesses appeared first on IT Governance UK Blog.

Read More A guide to cyber security for e-commerce businesses

No matter what size your organisation is, it will suffer a cyber attack sooner or later. There are simply too many malicious actors and too many vulnerabilities for you to identify. Unfortunately, SMEs often fall into the trap of believing that they are too small to be on cyber criminals’ radars. Why would they even think to target you? But criminal hackers target vulnerabilities rather than specific organisations. They look for weaknesses – whether it’s a flaw in a piece of software or an unprotected database containing sensitive information – and leverage it in whatever way they can. That’s why

The post Cyber security statistics for small organisations appeared first on IT Governance UK Blog.

Read More Cyber security statistics for small organisations

Information security policies are essential for tackling organisations’ biggest weakness: their employees. Everything an organisation does to stay secure, from implementing technological defences to physical barriers, is reliant on people using them properly. It only takes one employee opening a phishing email or letting a crook into the premises for you to suffer a data breach. Information security policies are designed to mitigate that risk by helping staff understand their data protection obligations in various scenarios. Organisations can have as many policies as they like, covering anything that’s relevant to their business processes. But to help you get started, here are five policies

The post 5 information security policies your organisation must have appeared first on IT Governance UK Blog.

Read More 5 information security policies your organisation must have