In a recently published report (Worldwide DDoS Prevention Products and Services 2013 – 2017) IDC found that, as “attacks surged in prevalence and sophistication, organizations were often caught unaware. Embedded capabilities were quickly overwhelmed and outages were readily apparent on the Web.” While IDC is primarily interested here in the market for anti-DDoS products and services, there were a couple of other conclusions that seem important:
- Expansion of cloud services and mobile networks create additional targets for attacks;
- A defence-in-depth posture provides the best protection against advanced attacks.
Two of the major strengths of the international information security management system standard, ISO27001, are that it encourages organisations to fully scope their cyber security defence requirements, taking fully into account their extended, cloud and mobile networks, and that it pre-supposes a defence-in-depth, with Incident Management a key contributor to the overall cyber resilience of the organisation.
While more and more organisations are turning to ISO27001 as a way of demonstrating to their customers that they do take cyber security seriously, any one who is already certified should be including the changing nature of cyber threat in its ongoing risk assessment activity and regular management reviews, ensuring that its control framework evolves to protect it against significant emerging threats.