Archive for the ‘ISO 27001’ Category

Government Cyber Security Kite Mark vs ISO 27001

Monday, December 16th, 2013

Last Thursday (12th December) the British Government issued a statement on the progress against the objectives set out in the UK Cyber Security Strategy.

Unsurprisingly, making cyberspace safer for UK business remains a top priority.  In order to achieve that the Government is said to have been working closely with industry to develop an agreed ‘Organisational Standard’ also referred to as cyber security kitemark (See “The Telegraph”). Moreover, in order to reinforce this and give the standard a kick-start, the Government will be mandating its use in government procurement.

But is this not slightly confusing?

Firstly, kitemark schemes for services are for services where there is not an already existing UKAS-accredited certification scheme. But there is a UKAS-accredited scheme for ISO27001 already so it seems overly costly to create a new certification scheme to go on top of or replace an existing internationally recognised scheme.  After all, the Government wants to enable companies to trade internationally, so it should be pursuing internationally recognised standards.

Secondly, the Government already requires ISO27001 certification across a broad range of services it obtains from the private sector. Therefore, it is incomprehensible that the government should be discarding years of work it’s done to establish ISO27001 in favour of something that doesn’t yet exist!

It is worth applauding that the Government is putting its shoulder to the wheel in terms of cyber security, but I just wished they were being more sensible about it!

CISSP or CISM: Which – or Both?

Friday, May 3rd, 2013

In today’s underskilled cyber security market place, people ask whether they should acquire a CISSP or CISM qualification. Each qualification has different strengths – so, which do you think information security professionals should pursue?

Where do you think CISMP fits into a career path?

Or should you pursue an ISO 27001 certification from IBITGQ?


Cyber skills the issue for SMBs

Thursday, May 2nd, 2013

New cybersecurity surveys continue to point at the two main challenges faced by most smaller businesses in terms of defending against cyber attack:

  1. They don’t know where they are vulnerable; and
  2. They don’t have the skills to close down the vulnerabilities anyway.

Two things to do: get an outside expert to come and do a cyber security risk assessment, and either engage them to help close down the identified vulnerabilities or get your own staff trained up. A CISSP should now be a basic qualification for anyone dealing with cyber security in a business of any size.

The cyber security frontline: your business

Monday, April 29th, 2013

Eugene Kapersky – the founder of Kaspersky Lab, the world’s largest privately-held anti-malware vendor – made four important points in his cybersecurity seminar at Infosec 2013:

  1. “Every company is a victim of cyber attacks, whether they know it or not;”
  2. Even smaller businesses have a critical role to play in preventing cyber attackers from using them as stepping stones to bigger victims;
  3. Governments (and, by my extension, critical national infrastructure organisations) have an essential duty to move their services to more secure environments where cyber attack is very difficult; and
  4. Everyone – governments in particular, as they control large budgets and regulatory powers – must contribute to the drive to increase the universe of cyber security skills.

From a ‘take action’ point of view, this translates into

  1. Carry out a cyber security risk assessment as soon as possible, and act on the findings; and
  2. Initiate a programme of cyber skills security training amongst your IT team.

In the dark world of cyber security, your inattention will bring you to the attention of cyber attackers.

Cyber security skills gap

Friday, April 26th, 2013

I talked, earlier this week, about the evident gap between the concern expressed (in the 2013 ISBS  survey) by the majority of managers about cyber security and the fact that their organisations continue to be breached, and linked this to a lack of appropriate competences in their organisations.

I don’t think this is surprising – most organisations build their IT teams in order to deliver services to customers, and they don’t do this with cyber security at the forefront of their mind.

The world has now changed – cyber security needs to be a core part of every organisation’s IT delivery strategy. In terms of skills and competences, this means that every organisation will need to employ people whose qualifications include ISO27001 Lead Implementer, ISO 27001 Lead Auditor, CISSP, CISA, CEH and CISM.

While a cyber security risk assessment is a sensible immediate first step for most organisations, the reality is that everyone is going to have to employ people with an appropriate skill set.


Cyber security – outside attacks

Thursday, April 25th, 2013

According to the recent ISBS 2013 Survey, 78% of large organisations were attacked by an unauthorised outsider last year (an increase from 73% the previous year), while 63% of small organisations were similarly attacked from outside – a big increase from 41% the previous year. Small businesses are now squarely in the cyber firing line, and are being attacked much more frequently than before.

External attackers take advantage of vulnerabilities in network connections to the Internet and in corporate websites. Basic security practice in today’s climate should include quarterly security scans and penetration tests of all Internet-facing resources and connectivity, with identified vulnerabilities patched as fast as possible.

As we move into an era of ‘negative day’ attacks, taking no action to identify and close vulnerabilities is no longer an even vaguely sensible option!


Cyber security – how much should I spend?

Wednesday, April 24th, 2013

Cyber security costs money – but then, so does cyber insecurity – and the problem with data breach costs is that they are usually accompanied by even more expensive business disruption and reputation damage – often when you need it least!

Increasingly, organisations ask: “How much should we spend on getting ourselves cyber-secure?”

Here are two guidelines:

    1. According to the recently published ISBS 2013 survey, the total cost of cyber insecurity to British business increased three-fold last year. Therefore, whatever you spent on cybersecurity last year, you should spend roughly three times as much this year.
    2. The cost of the worst breach, for smaller organisations, was between £35k and £65k – and, with the median number of breaches for small organisations having climbed to 17, the actual annual cost is likely to be in the order of £100k. So, for a smaller organisation to spend up to £100k in an initial investment in order to reduce the growing annual losses to cyber risk, makes good sense. If you’re a larger organisation, for whom the worst breach costs in excess of £1 million, the necessary investment could easily be of that order.

Of course, how much you actually need to invest does depend on your actual cyber insecurity – and the way to work that out is to compare your current cyber security stance with that described in either the UK Government’s 10 Steps to Cyber security, or in the NIST/CSIS 20 Security Controls. The appropriate framework depends on your organisational size. Yes, you will need to deploy competent and appropriately skilled people to do the assessment, and this is where services like professional cyber security risk assessments come in..

Cyber security risk assessment

Wednesday, April 24th, 2013

The 2013 Information Security Breaches Survey – published yesterday – makes it very clear that the vast majority of business managements and boards are all concerned about cyber security, but are signally failing to translate that concern into a set of effective cyber defences.

This is not surprising – organisations build their IT infrastructures (and their IT teams) to deliver against business objectives, such as satisfied, more profitable customers. Most IT teams do not also contain extensive cyber security skills and competences; even where they do, the challenge of keeping those skills current and knowledge up-to-date for the most recent attack vectors and security requirements is substantial.

That’s fine because, luckily, cyber security skills and competences are readily available from specialist cyber security companies – such as my company, IT Governance Ltd. More importantly, these skills are available in a highly focused format: the cyber security risk assessment: a three-day exercise that is designed to analyse and assess the gap between what an organisation actually does and established good practice (such as the UK Government’s 10 Steps to Cyber Security), and to provide a clearly articulated action plan that will lead the organisation quickly to a more secure position.

Cyber attacks on business soar!

Monday, April 22nd, 2013

In a (hastily withdrawn because published ahead of its official release date) news article describing the findings of the Information Security Breaches Survey 2013, the UK’s Department for Business, Innovation and Skills (BIS) will tomorrow (Tuesday 23 April) report that 87% of small firms in the UK experienced a security breach last year, and that 93% of large firms had also been targeted. Some of the incidents caused more than £1 million in damages. The median number of breaches suffered by large organisations rose from 71 to 113 and, for small firms, from 11 to 17.

UK firms are clearly not doing a good job of preparing for or responding to cyber attacks.

The UK’s Universities and Science Minister will apparently say tomorrow:

“Companies are more at risk than ever of having their cyber security compromised, in particular small businesses, and no sector is immune from attack. But there are simple steps that can be taken to prevent the majority of incidents.”

I agree. There are simple steps that can be taken to prevent the majority of incidents. Step 1 is to find the open windows in your network, and close them. This means that the first and most basic cyber security step is to identify cyber vulnerabilities in your Internet connections and websites – and then to patch them. This is relatively straightforward – an externally-commissioned vulnerability and penetration test (and there are easy-to-purchase, fixed price penetration testing packages available, as well as more customised services) will give you all the information that you need, both about vulnerabilities and what you need to patch them – but you need to commission such a test as fast as possible.

You could read this Green Paper on penetration testing and ISo27001 – but cyber-attackers aren’t about to slow down their activity – so you’ve got to start getting ahead – the faster you check your basic security, the faster you’re able to take remediation action to protect yourself and your valuable corporate assets.



Small & Medium Businesses continue to be cybercrime targets

Wednesday, April 10th, 2013

Symantec’s most recent National Small Business Survey says the following:

  1. In 2011, over three-quarters of small businesses had a security breach;
  2. The average cost of a security breach was £15k – £30k;
  3. 1 in 20 breaches les to business disruption of between a week and a month;
  4. 83% of small businesses have no formal cyber-security plan.;
  5. Half of attacks targeted SMBs.

The report makes the point that cyber criminals target SMBs because they have more money than individuals and their security is much weaker than that of larger organisations. In other words, Small and Medium Businesses should expect to see substantial growth in the number and effectiveness of cyber attacks on them.

Part of effective defence against cyber threats may well be a security solution such as that available from Symantec or Sophos. The better SMB approach is to start by adopting a basic cyber security strategy that deals cost effectively with the most obvious business-level vulnerabilities and then moves on to look at appropriate technical security solutions. The Green Paper ‘Cybersecurity – a Critical Business Risk’ describes a useful 7-step cyber security strategy.