Most organisations’ cyber security defences aren’t good enough. How could they be? Even with unlimited money and staff, it is practically impossible to address the constantly emerging and evolving threats. There are unpatched systems, potential malware infections, the threat of large-scale attacks and any number of vulnerabilities that employees bring with them, from weak passwords to susceptibility to phishing emails.
Human error is the wildcard in cyber security and, because it’s not something that IT departments can mitigate, is often overlooked. Too many organisations focus only on preventing cyber criminals from exploiting technology and ignore the mistakes that people can make – with or without technology.
Cyber security is everybody’s responsibility
Almost everybody uses technology in their job in some way, whether they sit behind a desk for most of the day or are always on their feet. Many employers put sensitive information on an online portal, which requires individual, password-protected accounts. Anyone who chooses a weak password makes it easy for cyber criminals (or, in many cases, password-cracking machines) to break into the organisation’s systems and look for useful information, such as sensitive company files, internal communications and employees’ personal data.
Cyber criminals have two main reasons for stealing this data. They can either sell it to other criminals or use it to conduct their own scams. A typical scam is spear phishing, in which the criminal masquerades as a legitimate contact and emails employees to trick them into sharing sensitive information or downloading malware.
The key to phishing emails is that they can only be partly managed through technological defences. Organisations will no doubt have spam filters to catch phishing emails, but as many as a quarter of them still make it to employees’ inboxes. This means that the only thing preventing the organisation from being breached is its employees’ ability to spot a fraudulent email. Anyone can be a target, so everybody needs to be educated about the risk.
Phishing staff awareness training courses can be a big help, but organisations also need to look at the big picture. Phishing isn’t the only threat that employees need to be educated on. Employees are just as susceptible to accidentally breaching data. They might lose files or portable devices, email information to the wrong person or leave records online without password protection.
Addressing these problems
Organisations can drastically improve their cyber security posture by implementing an information security management system (ISMS).
An ISMS is systematic approach, consisting of policies, procedures and controls, that manages threats to your data, such as cyber attacks, hacks, data leaks or theft. It can be applied to the entire or part of the organisation.
ISO 27001 describes best practices for an ISMS. Certifying to the Standard ensures that your organisation’s security measures are as cost-effective as possible.
Implementing an ISMS can be hard work, and will involve your whole organisation. The project can take anywhere from three months to a year and, however you proceed, you need to factor in your organisation’s size, the threats it may face and the measures it already has in place.
Our ISO27001 Certified ISMS Lead Implementer course teaches you everything you need to know to put in place an effective ISMS. Real-world practitioners will show you how to tackle an ISMS project from start to finish, including:
- How to determine the scope of your ISMS based on the requirements of ISO 27001;
- Developing a management framework;
- How to allocate roles and responsibilities;
- How to carry out an information security risk assessment;
- Writing policies and producing other critical documentation;
- How to manage and drive continual improvement under ISO 27001; and
- How to prepare for your ISO 27001 certification audit.
The course will be running in Dublin and Cork on various dates throughout 2018.