Author Archives: Luke Irwin

What is the ISO 27000 series of standards?

The ISO/IEC 270001 family of standards, also known as the ISO 27000 series, is a series of best practices to help organisations improve their information security.

Published by ISO (the International Organization for Standardization) and the IEC (International Electrotechnical Commission), the series explains how to implement best-practice information security practices.


It does this by setting out ISMS (information security management system) requirements.

An ISMS is a systematic approach to risk management, containing measures that address the three pillars of information security: people, processes and technology.

The series consists of 46 individual standards, including ISO 27000, which provides an introduction to the family as well as clarifying key terms and definitions.

You don’t need a comprehensive understanding of ISO standards to see how the series works, and some won’t be relevant to your organisation, but there are a few core ones that you should be familiar with.

ISO 27001

This is the central standard in the ISO 27000 series, containing the implementation requirements for an ISMS.

This is important to remember, as ISO IEC 27001: 2013 is the only standard in the series that organisations can be audited and certified against.

That’s because it contains an overview of everything you must do to achieve compliance, which is expanded upon in each of the following standards.

ISO 27002

This is a supplementary standard that provides an overview of information security controls that organisations might choose to implement.

Organisations are only required to adopt controls that they deem relevant – something that will become apparent during a risk assessment.

The controls are outlined in Annex A of ISO 27001, but whereas this is essentially a quick rundown, ISO 27002 contains a more comprehensive overview, explaining how each control works, what its objective is and how you can implement it.

ISO 27017 and ISO 27018

These supplementary ISO standards were introduced in 2015, explaining how organisations should protect sensitive information in the Cloud.

This has become especially important recently as organisations migrate much of their sensitive information on to online servers.

ISO 27017 is a code of practice for information security, providing extra information about how to apply the Annex A controls to information stored in the Cloud.

Under ISO 27001, you have the choice to treat these as a separate set of controls. So, you’d pick a set of controls from Annex A for your ‘normal’ data and a set of controls from ISO 27017 for data in the Cloud.

ISO 27018 works in essentially the same way but with extra consideration for personal data.

ISO 27701

This is the newest standard in the ISO 27000 series, covering what organisations must do when implementing a PIMS (privacy information management system).

It was created in response to the GDPR (General Data Protection Regulation), which instructs organisations to adopt “appropriate technical and organisational measures” to protect personal data but doesn’t state how they should do that.

ISO 27701 fills that gap, essentially bolting privacy processing controls onto ISO 27001.

Why use an ISO 27000-series standard?

Data breaches are one of the biggest information security risks that organisations face. Sensitive data is used across all areas of businesses these days, increasing its value for legitimate and illegitimate use.

Countless incidents occur every month, whether it’s cyber criminals hacking into a database or employees losing or misappropriating information. Wherever the data goes, the financial and reputational damage caused by a breach can be devastating.

That’s why organisations are increasingly investing heavily in their defences, using ISO 27001 as a guideline for effective security.

ISO 27001 can be applied to organisations of any size and in any sector, and the framework’s broadness means its implementation will always be appropriate to the size of the business.

You can find out how to get started with the Standard by reading Information Security & ISO 27001: An introduction.

This free green paper explains:

  • What ISO 27001 is, how an ISMS works and how it relates to ISO 9001, ISO 27002 and other standards;
  • The importance of risk assessments and risk treatment plans;
  • How the Standard helps you meet your legal and regulatory obligations; and
  • Your audit and certification requirements.

Subscribe to our Weekly Round-up

A version of this blog was originally published on 10 October 2019.

The post What is the ISO 27000 series of standards? appeared first on IT Governance UK Blog.

Cyber insurance: A guide for businesses

Cyber threats are so numerous that it’s impossible to prevent security incidents altogether.

That’s why they organisations increasingly relying on cyber insurance policies to cover the costs when data breaches and cyber attacks occur.

But just how helpful is cyber insurance? We take at a look at everything you need to know in this blog.

What is cyber insurance?

Cyber insurance is a specific type of protection, helping organisations mitigate the financial costs associated with information security incidents.

These costs typically won’t be included in standard business insurance policies, which tend to cover only the damage or loss of equipment itself, rather than harm caused by a cyber security event.

How does cyber insurance work?

When a covered organisation suffers a security incident and submits a claim, the insurer will investigate and then pay out accordingly.

Security incidents cause many issues that can’t be fixed with financial reimbursement, such as the time and effort it takes to recover or the reputational damage you could face.

Likewise, the cost of a data breach is related to the speed at which organisations can detect and respond to an incident. Indeed, Ponemon Institute’s Cost of a Data Breach Report 2020 found that organisations that can address a breach within 200 days save about £750,000 compared to those that take longer to respond.

If organisations have to wait for their insurer to review the incident, the costs will escalate and their premium will increase.

You must therefore view cyber insurance as a complement to your cyber security defences and an extra resource to mitigate costs rather than an alternative.

What does a cyber insurance policy cover?

Cyber insurance covers the financial costs of incidents that affect the confidentiality, integrity and availability of information. This includes cyber attacks and data breaches, as well as other events that impact IT systems and networks.

Policies generally provide organisations with the means to manage the incident. This includes forensic investigation, incident response, legal assistance and public relations support.

What is not covered by cyber insurance?

Cyber insurance policies generally don’t cover damages that were caused or exacerbated by the organisation itself.

This might include business email compromise fraud or acts of gross negligence.

Likewise, some insurers won’t reimburse organisations that pay up after a ransomware attack, given that experts advise organisations not to pay because payment helps fuel the cyber crime industry and could make the organisation a soft target for future attacks.

Who needs cyber insurance?

Any organisation that relies on information technology or processes sensitive data is vulnerable to cyber attacks and data breaches, and should therefore consider cyber insurance.

You can find out whether cyber insurance is the right strategy by following ISO 27001’s risk assessment methodology, which helps organisations decide the most appropriate way to address cyber security issues.

Organisations can:

  • Modify the risk by applying security controls that will reduce the likelihood of it occurring and/or damage it will cause.
  • Retain the risk by accepting that it falls within previously established risk acceptance criteria, or via extraordinary decisions.
  • Avoid the risk by changing the circumstances that are causing it.
  • Share the risk with a partner, such as a cyber insurance firm or a third party that is better equipped to manage the risk.

How much does cyber insurance cost?

An AdvisorSmith study found that the average cost of cyber insurance was $1,500 (about £1,160) per year for $1 million (£770,000) in coverage.

However, the costs will vary greatly depending on the organisation’s size, industry, the amount of sensitive data it processes and the strength of its existing cyber security measures.

Some insurers may also offer different levels of protection. For example, you could pay less each month but be covered against a smaller set of damages – or vice versa.

Is my existing cyber security enough?

Organisations are free to decide whether they should purchase cyber insurance.

In most cases, there is no legal or contractual requirement to have cyber insurance, so the organisation might decide that its budget is better spent on cyber defences and business continuity management.

However, there may well be times where it makes financial sense to invest in cyber insurance, for example when the costs of a breach far exceed the amount you would be paying in coverage.

Also, it’s worth remembering that almost all insurance brokers state that the organisation must take appropriate steps to prevent security incidents.

Make sure you have the right defences in place with our Cyber Security as a Service.

With this annual subscription service, our experts are on hand to advise you on the best way to protect your organisation.

They’ll guide you through a variety of security practices – including vulnerability scans, staff training and the creation of policies and procedures – ensuring that you have the foundations of an effective security strategy.

These measures will help you stay one step ahead of cyber criminals, preventing a wide array of threats and putting you in a position to claim competitive cyber insurance rates.

The post Cyber insurance: A guide for businesses appeared first on IT Governance UK Blog.

3 reasons cyber security training is essential

Organisations are always looking for ways to improve their security practices, and one of the most effective ways to achieve this is by enrolling employees on cyber security training courses.

A recent Lucy Security study found that 96% of respondents agreed that a greater level of awareness over cyber security threats contributed to overall improvements in their defences.

Despite that, comparatively few provided adequate training to help staff mitigate the risks of data breaches and cyber attacks.

For example, only 81% of respondents said they conduct phishing simulations, and only 51% say their organisation has a mechanism to report suspicious emails.

With October being European Cyber Security Awareness Month, there has never been a better time is there to boost your organisation’s knowledge of effective information security practices.

Here are three reasons to consider it.

1. You’ll reduce the risk of data breaches

Almost all data breaches are caused by a mistake somewhere in the organisation. So if you want to keep your organisation secure, your employees to know what they’re doing.

That doesn’t only mean negligence – it could also be mistakes that you don’t even know are mistakes, such as gaps in your policies, ineffective processes or a lack of proper technological defences.

Placing staff on information security training courses will help them understand the mistakes they’re making and teach them to work more effectively.

This is especially useful if you intend to commit to a framework such as ISO 27001, the international standard for information security, as there are specific courses that teach you how to follow the Standard’s requirements.

2. You’ll meet compliance requirements

Cyber security laws and regulations inevitably contain complex requirements, so organisations need employees with specialist knowledge to achieve compliance.

For example, organisations that are required to appoint a DPO (data protection officer) under the EU GDPR (General Data Protection Regulation) must find someone with an in-depth understanding of data protection law.

The stakes associated with the position are huge; if the DPO doesn’t perform their tasks in accordance with the GDPR’s requirements, the organisation is liable to face regulatory action.

It’s therefore paramount that the DPO is given every resource available to do their job properly, and training courses should always be sought where possible.

They are not only the quickest way of studying but also usually include exams, which reassures employers that the individual is qualified.

The same advice applies for individuals in roles that involve compliance with the NIS Regulations (Network and Information Systems Regulations 2018), the PCI DSS (Payment Card Industry Data Security Standard), ISO 27001 or any other law or framework.

3. You’ll foster career growth

Training courses enable employees to pick up new skills and gain more advanced qualifications, which will help them move into more senior roles.

This isn’t only beneficial for them but also their employers. It’s getting increasingly hard to find qualified information security professionals, with one report estimating that there will be 3.5 million unfilled jobs in the industry by 2021.

Finding qualified personnel isn’t the only problem. A small pool of skilled workers also means job candidates can command a higher salary and more benefits.

As such, organisations might not be able to afford qualified professionals even if they can find them.

They should therefore do whatever they can to support employees who want to go on training courses. Organisations will almost certainly benefit from the extra knowledge, and it eases the pressure of finding skilled personnel in the job market.

Which course is right for you?

Cyber security is a broad industry, so you need to decide which area suits you best. To help you make that choice, here are some of our most popular training courses:

Knowledge of ISO 27001, the international standard for information security, is an absolute must for anyone who handles sensitive data. We offer several ISO 27001 courses, including an introduction to the Standard and guidance on specific roles, such as internal auditor and lead implementer.

ISO 22301 is the international standard for business continuity. Organisations that follow its framework can be sure that they’ll continue operating when disaster strikes.

Our Foundation-level course covers the essentials of the Standard, but we also offer advanced courses for those that want to lead an implementation project or audit.

Any organisation that transmits, processes or stores payment card data must comply with the PCI DSS. Our training courses help you understand the basics of the Standard, implement its requirements and complete the SAQ (self-assessment questionnaire).

The GDPR is the most significant update to information security law in more than twenty years. Anyone who handles personal data or is responsible for data protection needs to comply with its requirements.

Regular staff should familiarise themselves with the Regulation via our Foundation-level course, senior staff would benefit from our Practitioner course and those looking to fulfil the DPO role should enrol on our Certified DPO training course.

A version of this blog was originally published on 31 October 2018.

The post 3 reasons cyber security training is essential appeared first on IT Governance UK Blog.

Your cyber security risk mitigation checklist

Are you trying to figure out the best way to protect your organisation from cyber attacks and data breaches?

It can be tricky to know where to begin, which is why our Cyber Security Risk Scorecard contains a simple guide to help you secure your systems.

We’ve run through some of the essential steps in this blog, or download the full, free checklist from our website.

Install firewalls

Firewalls are one of many types of software that organisations should implement to protect their systems.

They are designed to create a buffer between your IT systems and external networks, by monitoring network traffic and block anything that could damage your computers, systems and networks.

This will help prevent cyber criminals from breaking into your networks and block outgoing traffic that originates from a virus.

Install antivirus software

Antivirus software is another essential technological defence – and contrary to what the name implies, it isn’t just designed to root out viruses.

Modern antivirus generally includes protection against a range of threats, including malware, ransomware, keyloggers, Trojan horses, worms, adware and spyware.

The software works by scanning your computer or network, looking for riles that match its built-in database of known malicious programs. The more advanced the software is, the larger that database will be and the more likely it is that it will detect a problem.

Our Cyber Security Scorecard provides a checklist of essential security controls.

Patch management

When software providers fix a vulnerability on their applications, its users are required to download the update (or ‘patch’).

Organisations tend to use many software providers, each of which releases regular patches – Microsoft, for examples, fixes vulnerabilities so often that the term ‘Patch Tuesday’ was coined.

As such, it makes sense to create a patch management plan to help you keep track of updates you’ve applied and to make sure each one has been installed successfully.

Conduct a cyber security risk assessment

A cyber security risk assessment helps organisations evaluate their weaknesses and gain insights into the best way to address them.

ISO 27001, the international standard that sets out the specification for an ISMS (information security management system), is built around risk assessments and contains step-by-step guidance on how to complete the process.

You don’t need to certify to ISO 27001 to follow its advice – or even follow the rest of the Standard’s guidance – although doing so clearly has many benefits.

Create an information security policy

Information security policies are the result of a risk assessment. They describe the vulnerabilities that have been identified and the measures that the organisation has adopted to prevent them.

The document should contain a thorough outline of each risk, the relevant control(s) and the organisation’s continual improvement strategy, including when and how they will review the effectiveness of the control.

Encrypt sensitive data

In an information security context, encryption is a way of ‘scrambling’ sensitive data, ensuring that it can only be accessed by authorised personnel with a decryption key.

By encrypting data, you guarantee that even if criminal hackers break into your systems, they are unable to view your files. This helps mitigate the risk of data breaches and could prevent a GDPR (General Data Protection Regulation) violation.

Create a remote working policy

The COVID-19 pandemic has reshaped the way organisations work, with the majority planning to permanently switch to remote working – whether that’s on a full-time basis or giving employees the opportunity to come into the office a few days a week.

As you will no doubt know, remote working comes with unique information security challenges, which you’ll need to address in a dedicated policy.

This will include guidance on storing devices securely, creating and maintaining strong passwords, and an acceptable use policy for visiting websites that aren’t work-related.

Organisations should also explain the technical solutions that they’ve implemented to protect sensitive data and how employees can comply with them. For example, we recommend applying two-factor authentication to any third-party service that you use.

Conduct vulnerability scans

Many cyber attacks are automated, with criminals searching for and exploiting known vulnerabilities.

Organisations can prevent these attacks by conducting their own scans to identify weaknesses before crooks exploit them.

But that’s not the only benefit of vulnerability scanning. The process will also help you determine the overall effectiveness of your security measures, save you time and money in the long run.

Conduct penetration tests

Penetration tests are a controlled form of hacking in which a cyber security professional, working on behalf of an organisation, attempts to find exploits in the same way that a criminal would.

These tests are more rigorous than automated scans, as they enable the actor to leverage weaknesses and gain a true insight into the way a criminal might access your sensitive information.

Penetration testers may, for example, exploit system misconfigurations or send staff phishing emails to gather login credentials.

With the vulnerabilities the ethical hacker discovers, organisations can implement defences to stop criminals before they’ve had a chance to target the organisation.

Create a business continuity plan

A business continuity plan outlines the steps an organisation must take to ensure its critical processes continue operating in the event of a major disruption.

This information is put into a document, which is regularly tested, developed and improved upon to make sure the organisation has recovery strategies in place for a range of threats.

Download our free checklist

You can learn more about the steps you should take to prevent and respond to cyber security incidents by downloading our Cyber Security Risk Scorecard.

This free document contains twenty questions you should ask yourself to determine whether you have the necessary defences in place.

It’s designed to give a broad indication of your organisation’s overall readiness, helping you understand what your next steps should be and how urgently you need to address cyber security.

The Weekly Round-up: subscribe now

The post Your cyber security risk mitigation checklist appeared first on IT Governance UK Blog.

Will hospitals wake up to the threat of cyber crime after patient dies during a ransomware attack?

A patient at Dusseldorf University Hospital died during a ransomware infection in what is reportedly the first death directly linked to a cyber attack.

The hospital was unable to accept emergency patients because of the attack, so the woman – who needed urgent treatment for a life-threatening illness – was sent to another hospital 20 miles away, the Associated Press reported.

German prosecutors have since opened a homicide investigation into the incident, while the country’s cyber security agency, the Federal Office for Information Security, was recruited to get the hospital fully operational again.

Bad luck or a ticking timebomb?

An already tragic story was made more so with a report from the German news outlet RTL, which claimed that the cyber attack wasn’t intended for the hospital.

The ransom note was addressed to a nearby university, which suggests that the attackers weren’t aware that they had infected one of the largest hospitals in western Germany.

The criminals stopped their attack when they learned that it had shut down the hospital, but by then the damage had been done.

Although it might be easy to chalk this up as unfortunate, you could just as easily say that it was only a matter of time until something like this happened.

Arne Schönbohm, president of the Federal Office for Information Security, confirmed that the attack exploited a vulnerability in a Citrix VPN system, which the hospital had been aware of since December 2019.

“I can only urge you not to ignore or postpone such warnings but to take appropriate action immediately,” said Schönbohm. “This incident shows once again how seriously this danger must be taken.”

Same old story

The healthcare sector has been a lucrative target for cyber criminals for years, due to its apparent unwillingness to commit to better defences and, in particular, its widespread use of legacy systems.

The UK saw the damage that can occur when relying on legacy systems with the WannaCry attack in 2017.

Most NHS facilities were still using Windows XP, which Microsoft had stopped supporting in 2014 – and it was a vulnerability with that system that exposed 80 NHS trusts and led to £92 million in damages.

Plenty of think pieces were written at the time about how hospitals needed to do a better job of preventing attacks, because future attacks might result in deaths.

Yet, as of last year, more than 2,300 NHS PCs were still running on Windows XP, despite the government signing a £150 million deal with Microsoft to update its devices to Windows 10.

Given the spate of attacks on hospitals during the coronavirus pandemic – both in the UK and the rest of the world – you would have thought it was only a matter of time before we were no longer talking about just the financial and logistical issues caused by cyber attacks, but the human cost.

Hopefully this incident will be a wake-up call for hospitals, which desperately need to prioritise security strategies and realise that cyber attacks can be just as damaging as physical assaults.

The Weekly Round-up: subscribe now

The post Will hospitals wake up to the threat of cyber crime after patient dies during a ransomware attack? appeared first on IT Governance UK Blog.

Small business cyber security: the ultimate guide

If you’re an SME, cyber security might seem impossibly complex and filled with endless pitfalls.

Although it’s true that there’s a lot at stake – with ineffective security measures potentially threatening your productivity, your bank accounts, and your employees’ and third parties’ personal data – the path to effective security needn’t be difficult.

In this blog, we explain everything that small business owners need to know about protecting their organisations and reducing the risk of security breaches.

Why cyber security presents unique risks for SMEs

The difficulties that small businesses face when addressing cyber risks can be separated into financial costs and their ability to gain expert advice.

When we talk about ‘cost’, there are several issues at play. First, there is the fact that many small and medium-sized enterprises lack the budget to invest in comprehensive defences.

Second, there are the costs that organisations occur as a result of a security incident. We’ll talk about the specific financial effects of this in more detail below, but it’s worth noting that the first issue clearly affects the other.

SMEs that are reluctant to invest in in cyber security practices are not only more likely to fall victim but will experience exponentially larger costs as a result – and in many cases, the damage will be insurmountable.

You cannot cut corners when it comes to cyber threats. However tight your budget, you must find a way to address cyber security.

That brings us on to the second difficulty that you face: gaining expert advice. The demand for cyber security professionals far outweighs supply, with one report claiming that there will be 3.5 million unfilled jobs in the industry by 2021.

Those with the necessary skills can therefore command a much larger salary, meaning small organisations are being priced out of the market.

SMEs’ best course of action is to look internally – offering existing employees the opportunity to move into a career in cyber security.

Those in an IT background are particularly suited to this career switch, because – although technology only encompasses one aspect of information security – there is a large overlap.

Why SMEs can’t ignore cyber security

Let’s now take a closer look at the repercussions that small organisations face if they don’t properly address cyber security.

  • Business disruption

The first problem that you’ll run into is business disruption. An attack on your systems may paralyse your network or force you to close off parts of your business to make sure cyber criminals can no longer access your data.

In the time it takes you to investigate the cause of the breach and to get your systems back online, you will be unable to perform certain operations and are likely to experience a loss of production.

  • Remedial costs and regulatory fines

Getting up and running again is only your first obstacle. If the incident was serious enough, you will need to contact affected customers as well as your data protection supervisory authority, which in the UK is the ICO (Information Commissioner’s Office).

Notifying customers alone can be an expensive and time-consuming endeavour.

You may have to set up helpdesks so that those affected can get in contact to learn more, or even offer them complementary credit checks to reassure them that the breach has no personal financial implications for them.

In addition to this, the ICO may well decide that the incident was a result of a GDPR (General Data Protection Regulation) violation, in which case you are liable to receive a financial penalty and face legal action.

  • Reputational damage

Finally, the incident might result in long-term reputational damage. It can be hard for organisations to retain customers’ trust – and that’s particularly true for small organisations – so you may experience significant customer churn.

According to CISO’s Benchmark Report 2020, a third of organisations said they experienced reputational damage as a result of a data breach.

Want to know more about keeping your organisation safe?

Download our free guide: Cyber Security 101 – A guide for SMEs.

Top threats to SMEs

According to Verizon’s 2020 Data Breach Investigations Report, 28% of data breaches involved SMEs. But what makes them so vulnerable?

Their biggest vulnerability is human error. Small organisations are far less likely than larger ones to have systematic staff awareness training programmes in place, meaning there is an increased possibility of someone making an avoidable mistake.

This includes things such as reusing their password on multiple accounts, falling for a phishing scam or failing to properly dispose of sensitive information when it’s no longer needed.

On a similar note, employees at small organisations are more likely to act maliciously – purposely using information in a way that’s detrimental to the organisation.

One reason for this is that smaller organisations are less likely to have monitoring tools to catch them in the act. For example, they might not have access controls installed, which would limit the amount of information that an employee could view.

Without it, any member of staff who wanted to steal sensitive information (perhaps with the intention of selling it on the dark web) could do so, and the organisation would be unable to tell who was responsible.

Another threat that small organisations in particular are vulnerable to is ransomware. This is a type of malware in which criminal hackers lock users out of their systems and demand money for a decryption code.

The most effective way to mitigate the risk of ransomware is to regularly back up your files to an external server. That way, should your systems become infected, you will be able to disconnect them, wipe the data and restore your information using the backups.

This process will take some time – anywhere from a couple of days to a couple of weeks, depending on the size of your operations – but it will be much less expensive and disruptive, and is a far more prudent approach than paying a criminal and hoping that they keep their word.

Unfortunately, many SMEs don’t invest in comprehensive backup strategies, making them an ideal target for crooks.

What can you do to protect your small business from cyber threats?

Most small organisations know that they should be doing more to protect themselves, but it can be difficult knowing where to begin. That’s where our Cyber Security as a Service can help.

With this annual subscription service, our experts are on hand to advise you on the best way to protect your organisation.

They’ll guide you through vulnerability scans, staff training and the creation of policies and procedures, which form the backbone of an effective security strategy.

The post Small business cyber security: the ultimate guide appeared first on IT Governance UK Blog.

How small organisations can fast-track ISO 27001 implementation

Small businesses are increasingly understanding the importance of ISO 27001, the international information security standard, but many struggle to find the resources to commit to an implementation project.

If you’re among those, our ISO 27001 Online FastTrack™ Consultancy – Micro Organisations is the ideal solution.

Our team of experts will have you ready for accredited certification in just three months and for a one-off fee.

You will be assigned a qualified consultant who will work with you and perform all the key activities involved in setting up an ISMS (information security management system) that’s in line with ISO 27001’s requirements and that reflects your business objectives.

We do this by following our proven nine-step approach for implementing an ISMS.

Our ISO 27001 implementation method

  1. Project mandate

Collate information for your information security policy to define the scope of the ISMS and facilitate management approval of essential documents.

  1. Project initiation

Develop the project’s goals, and ensure that both the project and ISMS deliver their objectives.

  1. ISMS initiation

Establish the requirements of each ISMS process and the tasks required to develop and implement them.

  1. Management framework

Ensure the ISO 27001 requirements relating to organisational context, scope and leadership are fully addressed, and align the ISMS to your organisation and business objectives.

  1. Baseline security criteria

Ensure that security controls meet your business requirements.

  1. Risk management

Develop a robust information security risk management process, identify appropriate information security risk treatments and controls, and produce the risk treatment plan and Statement of Applicability.

  1. Implementation

Address the remaining ISMS processes and controls, including documentation and training.

  1. Measure, monitor and review

Establish processes for measuring and monitoring the effectiveness of the ISMS, including an internal ISMS audit and management review.

  1. Certification audit

We will help you select an independent, accredited certification body appropriate to your organisation.

We will also assess the findings of the initial certification audit, and set out the tasks and activities required to maintain the ISMS and accredited certification.

Fast-track your ISO 27001 implementation project

ISO 27001 Online FastTrack™ Consultancy – Micro Organisations helps you reduce the time and effort it takes to implement an ISMS and eliminates the cost of extensive consultancy work.

Plus, we guarantee that you will achieve certification-readiness within the agreed project timeline, and will cover any extra direct remedial costs necessary to ensure that you pass your final certification audit.

Find out more

The post How small organisations can fast-track ISO 27001 implementation appeared first on IT Governance UK Blog.

Cambridgeshire crowned the UK’s cyber crime capital

Cambridgeshire has the unwanted distinction of being the UK’s fastest-growing hotspot for cyber crime, after the number of attacks in the county increased by 49% over a three-year period.

Figures from the ONS (Office of National Statistics) show that security incidents in Cambridgeshire increased from 2,789 in 2016 to 4,155 in 2018.

Although the total number of attacks trails the Thames Valley – which saw 11,232 attacks per year on average – Cambridgeshire had the fastest rate of increase and largest total per capita.

In 2018, Cambridgeshire saw 63.7 cyber attacks per 10,000 people, compared to 48 per 10,000 in the Thames Valley.

The next most densely populated regions for cyber crime were Leicestershire (59.2) and Nottinghamshire (56.4).

What is happening in Cambridgeshire?

At first glance, these figures – which were collated by the Internet service provider Fasthosts – suggest that Cambridgeshire is some sort of Wild West for cyber crime.

Attacks in the region have skyrocketed in recent years, with only North Wales (+47%) seeing a comparable increase.

One reason to account for this is that the timeframe of this analysis coincides with major economic growth in the region.

In 2017, Cambridge became the fastest-growing city in the UK, with businesses attracted to its proximity to London and the North, as well as its highly educated workforce.

The city trails only Edinburgh in terms of residents who are educated to undergraduate degree-level, making it an ideal spot for organisations in technical industries, such as biotech, digital innovation and medicine.

And, of course, Cambridge is home of one of the most world’s prestigious universities, with its various colleges employing almost 8,000 academic and more than 3,500 administrative staff.

Unfortunately, these sectors are especially prone to cyber attacks due to the sensitive information that they keep.

For example, the pharmaceutical giant AstraZeneca, which is based in Cambridge, was last year imitated in a sophisticated phishing scam targeting job seekers.

Meanwhile, universities have long been considered a cyber security liability, due to budgetary constraints and their necessarily wide networks.

In 2019, Jist – the agency that provides Internet services to UK universities and researcher centres – put 50 universities’ cyber security practices to the test, and found that their team of ethical hackers breached every one within two hours.

Protect your organisation

Cambridgeshire’s susceptibility to cyber attacks is particularly disheartening for us to hear at IT Governance, given that we’re based in the region.

We’ve helped local businesses with more than 1,000 projects, but there’s still clearly a long way to go when it comes to data protection.

One of the essential steps to cyber security is to educate your employees on the risks they face and the ways they can mitigate the risk.

Our Complete Staff Awareness E-learning Suite contains everything you need to stay secure, from organisations’ legal requirements to specific issues that employees face, such as phishing emails and social media scams.

The post Cambridgeshire crowned the UK’s cyber crime capital appeared first on IT Governance UK Blog.

Why has there been increase in cyber risks for the education sector?

The coronavirus pandemic has arguably affected the education sector more than any other, with schools, colleges and universities around the globe having been forced to close their doors and deliver classes remotely.

Most of the discussion surrounding this has focused on the logistical problems of setting up e-learning platforms, parents balancing their workloads with home-schooling and students completing exams.

However, one of the most significant issues – particularly in the long term – is that the pandemic has also exposed massive cyber security failings in the education sector.

Indeed, the UK’s National Cyber Security Centre released a security alert to schools and universities sector this week, warning that cyber criminals are targeting the education sector as students return after the summer.

We reported 17 cyber attacks on schools and universities in August alone, with many of those attacks being ransomware.

Newcastle University, for example, became one of the most high-profile victims earlier this month, after it was targeted by the DoppelPaymer ransomware gang.

There have also been countless cases of ‘Zoombombing’ – in which uninvited guests enter meetings to harass participants and snoop into people’s homes.

In one instance, a ‘Zoombomber’ disrupted an online class to shout a profanity, and in another, the virtual classroom was interrupted by someone streaming pornography.

Although some of these attacks are a direct response to schools’ ad hoc response to the pandemic, it’s not as though the education sector was especially resilient before being forced into online learning.

According to a UK government survey, 80% of UK schools experienced a cyber attack in 2019, and things aren’t any better in the US, with a report finding that cyber attacks against schools tripled last year.

This is the result of schools increasingly relying on technology – whether it’s online learning platforms, teaching tools or day-to-day operations – while neglecting the security concerns that come with it.

What kind of threats do schools face?

A recent Kaspersky report outlines several cyber security threats associated with online learning:

  • Phishing

Kaspersky notes that several bogus sites replicating Google Classroom and Zoom began popping up at the start of the pandemic.

According to Check Point Research, from the end of April to mid-June, 2,449 domains related to Zoom were registered, 32 of which were malicious and 320 were suspicious.

Fraudsters have also taken aim at Microsoft Teams and Google Meet, as well as universities’ online portals.

  • DDoS (distributed denial-of-service) attacks

Between February and June 2020, there was a 350–500% increase in DDoS attacks on the education sector compared to the same timeframe last year.

These attacks, which flood network traffic with requests until they are overwhelmed and crash, are usually performed to disrupt an organisation – perhaps as an act of revenge, a political statement or simply for fun – or to distract organisations while the attackers perform a more sophisticated attack.

  • Adware and malware

The most common threat that the education sector faces are downloaders, adware and Trojan horses.

This threat is almost exclusively related to the widespread implementation of Zoom. The video conferencing app saw a surge in popularity at the start of lockdown, and cyber criminals responded by creating bogus application installers.

Students and teachers have repeatedly been fooled into installing a bogus version of Zoom, unleashing malicious software onto their systems.

Kaspersky reports that, of the 168,55 instances of bogus application installations that it detected between January and June, 99.5% were associated with fake Zoom apps.

How should schools respond?

Despite schools and universities worldwide reopening their doors to students, digital learning continues to be an essential part of the way they operate – and these systems must be more resilient to attacks.

But although many organisations in the education sector know that they should be doing more, they might not know where to begin. That’s where our Cyber Security as a Service can help.

With this annual subscription service, our experts are on hand to advise you on the best way to protect your organisation.

They’ll guide you through vulnerability scans, staff training and the creation of policies and procedures, which form the backbone of an effective security strategy.

The post Why has there been increase in cyber risks for the education sector? appeared first on IT Governance UK Blog.

The cost of a data breach in 2020

Organisations spend $3.86 million (about £2.9 million) recovering from security incidents, according to Ponemon Institute’s Cost of a Data Breach Report 2020.

That represents a slight decrease on 2019, which Ponemon’s researchers credit to organisations doing a better job strengthening their cyber defences and incident response capabilities.

The report also notes that 52% of data breaches are caused by cyber attacks, and that malware is the costliest form of attack, with organisations spending $4.52 million (about £3.4 million) on average responding to such incidents.

What activities cost organisations money following a data breach?

The report outlines four activities that cost organisations money as they respond to data breaches:

  • Detection and escalation

These are activities that enable organisations to identify when a breach has occurred.

It covers processes such as forensic and investigative activities, assessment and audit services, crisis management and communications to executives and boards.

  • Lost business

These are activities that attempt to minimise the loss of customers, business disruption and revenue losses.

It can include disruption caused by system downtime, the costs associated with customer churn and reputational loss.

  • Notification

These are activities related to the way organisations notify data subjects, regulators and third parties of the data breach.

For example, organisations will typically email or telephone those affected, assess whether the incident needs to be reported to their regulator (and contact them where relevant) and consult with outside experts.

  • Ex-post response

These are the costs associated with recompensing affected data subjects, and the legal ramifications of the incident.

It includes credit monitoring services for victims, legal expenses, product discounts and regulatory fines.

Mitigating the cost of an attack

The report also highlighted the relationship between the cost of a data breach and the time it takes organisations to contain it. The researchers found that organisations take 280 days on average to detect and respond to an incident. However, those that can complete this process within 200 days save about $1 million (about £750,000).

The best way to do that, according to Ponemon Institute, is to implement automated tools to help detect breaches and suspicious behaviour.

Organisations that used artificial intelligence and analytics had the most success mitigating the costs of data breaches, spending $2.45 million (about £1.84 million) on their recovery process.

By contrast, organisations that didn’t implement such measures spent more than twice that, with an average cost of $6.03 million (about £4.5 million).

This is a lesson that organisations are gradually taking on board. The report found that the proportion of organisations that have implemented measures such as artificial intelligence platforms and automated tools has increased from 15% to 21% in the past two years.

Unfortunately, many organisations don’t know where to begin when implementing and testing defences. That’s where our Cyber Security as a Service can help.

With this annual subscription service, our experts are on hand to advise you on the best way to protect your organisation.

They’ll guide you through vulnerability scans, staff training and the creation of policies and procedures, which form the backbone of an effective security strategy.

The post The cost of a data breach in 2020 appeared first on IT Governance UK Blog.