According to a national survey conducted by the Irish Computer Society (ICS) last year, two in five Irish companies consider external hacking as a top IT threat and one-third of Irish firms claim to have faced a data breach incident in last 12 months. Security incidents or data breaches have major and long-term consequences for both companies and individuals. The world of information and data security is never constant and is subject to change on a regular basis. Due to this scenario, it is generally only a matter of time until a company comes face to face with a threat to its information security system.
Information is the most crucial and essential asset for a company regardless of the industry. Therefore, its security and protection is the backbone to a company’s smooth operation and existence. To be successful in the long-term, a business needs to safeguard all the information that contributes to meeting the organisation’s goals. This means that managing information systems is paramount for a business to be better prepared against a data breach incident. This can be done by adopting proactive measures to minimise the probability of its occurrence and/or reducing the impact a data breach can have on the business’ performance.
A number of security breaches occur on a regular basis due to a variety of factors which can ultimately be categorised into three groups. Ponemon Research conducted IBM 2015 Cost of Security Breach Survey and concluded that 49% of these breaches are due to criminal or malicious activities, 23% of them are system glitches and the remaining 28% are accounted to human error.
- Criminal and/or Intentional: These targeted attacks executed in a well-planned manner can have a lasting negative consequences on an organisations’ performance and reputation.
- Glitches: Your system or network was working properly yesterday when you turned it off but it wouldn’t start this morning or there is some illogical problem. System glitches are such problems that have no logical explanations. The IT department should carefully examine and scrutinise such glitches.
- Human Error: In some cases employees’ lack of knowledge or negligence regarding the security system in place could also result in information security threat.
Data Protection Acts 1988 and 2003 place a responsibility on data managers and controllers to establish suitable security measures. For example, set procedures/rules that apply to gathering, using, moving or revealing any information about entities, personnel, clients or residents. An international standard that has this very principle as its basis and is used globally to manage information security is ISO 27001 (and related standards). ISO 27001 was written by world’s top specialists in this domain and published by the International Standardisation Organisation (ISO) in 2005. This standard describes how to manage information security in a company efficiently. The latest revision was published in 2013. It provides methodology for application of suitable security management system in any kind of establishment regardless the size, ownership (private/public) or objective (profit/non-profit).
Data protection with ISO 27001 is progressively gaining worldwide recognition for managing potential information security threats by integrating a strong Information Security Management System (ISMS) within the framework of an organisation. ISMS is a systematic approach to ensure that sensitive information within a company remains protected. The purpose of this standard is to provide a set of requirements to implement a process of creating, operating, supervising, reviewing, sustaining and continuously improving your ISMS. ISO 27001 protects a company’s brand image and reputation by effectively managing risks to information security, safeguarding employee and clients’ information.
Certification to ISO 27001 is a useful means to demonstrate compliance with the Data Protection Acts. It ensures your clients and other stakeholders that confidential information within the organisation is managed safely and is secure from any possible threats. Organisations can also gain many more benefits other than mere compliance by achieving this certification. Some of these advantages are:
- Provides confidence to clients, customers and stakeholders in your company’s risk management system resulting to greater customer satisfaction and retention. Certification to this standard builds an overall culture of security.
- Secure exchange of information minimises risk exposure, henceforth, protecting company’s assets and shareholders; increases consistency in delivery of products and services. Exchange of information must always be secure. Compliance with ISO 27001 allows you to meet your legal obligations and other regulations related to information security. This standard provides a methodology to resolve and comply with such rules and laws.
- You can achieve marketing advantage and a competitive edge against your competitors who are not certified to this standard. Most customers are sensitive about keeping their information secure and certification to ISO 27001 can attract such customers/clients.
- In the event of a security incident, large or small, it will cost your company money and time to recover. Implementing ISO 27001 can prevent such security incidents from happening, thus, saving you time and money. Investment in ISO 27001 is far smaller than the costs you would have incurred otherwise.
Data Breach Examples
The survey carried out by the ICS showed that 61% of organisations (almost two third) in Ireland, have dealt with at least one data breach in the last year. Another recent research conducted by Ponemon Institute in the States, established that out of 583 companies that participated in the survey, 90% of them were attacked within the last year. For example:
- Target (2013) & Yahoo (2014): Target (USA) faced an attack on its point of sale systems in 2013, endangering information of credit & debit card details of 40 million customers. In 2014, Yahoo suffered an allegedly ‘state sponsored’ attack on its network.
- Anthem (2015): Malware attack configured to communicate with malicious command & control. Exposed 80 million patient and employee records including social security numbers, home addresses, income data and more.
- Ashley Madison (2016): Agreed to pay $1.6 million penalty after a data breach which exposed information of 36 million users. Canadian parent company, Ruby, agreed for failing to protect confidential user information
- PeoplePoint (2017): Runs payroll service for more than 30,000 civil workers. PeoplePoint reported that unauthorised information of thousands of workers in Ireland was sent to an HR official without consent.
Cybercrime continues to be the biggest concern for organisations particularly, understanding various unpredictable methods used by hackers. Organisations have become more aware of the threat and are undertaking several preventive measures along with ISO 27001 certification such as: access authentication and control, installing anti-virus software, building firewalls, encoding or encrypting the information and developing integrated back-up systems. Certification and compliance to ISO 27001 develops holistic ISMS in an organisation demonstrating information security and minimising business risks. At Pegasus, we provide practical advice and assistance to enable you to protect your information from a wide range of threats. We work with your organisation to develop all the documentation that you need. We implement a competent ISMS that meets international standards, guiding you through the entire process. ISO 27001 sets out specific requirements and has the potential to protect Information Technology worldwide over the decades to follow.