A Standard Approach to Managing Cybersecurity Threats

Rob Acker
Rob Acker,
Quality Manager, Information Security, Lloyd’s Register

Industry 4.0’s rapid digital transformation has encouraged the rise of data-driven cultures in organisations throughout the world, with technology, media and telecoms (TMT) businesses often at the forefront of technological advancements.
However, as opportunity increases, so does risk. For some businesses, the speed of development has outpaced the organisation’s ability to effectively protect this data from the ever-evolving threat landscape.
This can lead to significant trust issues with buyers. In fact, research by PwC discovered that 87% of consumers would take their business elsewhere if they didn’t feel able to trust that their data was being handled responsibly[1].

The threat landscape

For TMT businesses, the most common threats include:

  1. Vulnerable devices

As flexible working becomes the norm, more employees are accessing corporate data from their smartphones. TMT businesses, as well as their employees, are more likely to adopt the latest technologies; however, the latest mobile devices, apps and technologies can lead to increased risk. According to Symantec, around 24,000 malicious mobile apps are blocked every day, and network security company RSA found that attacks from rogue mobile apps have increased by 300%[2].

  1. Cloud security

TMT organisations invest large sums of money to utilise cloud based-solutions, so their employees can store and share data safely. The increased mobility this offers enables teams to work from anywhere at any time, increasing efficiency whilst reducing expenses. In fact, analyst firm Forrester predicts that the worldwide cloud computing market is expected to grow to $191 billion this year, up from $91 billion in 2015[3].
However, an insecure cloud platform can leave an organisation vulnerable, especially if the service stores or allows access to all the user’s website and cloud service credentials. If a cybercriminal gained access to these details – particularly those with elevated permissions for the company’s critical infrastructure – it can leave the organisation open to attack, which could involve loss or theft of intellectual property, compliance violations, malware infections and contractual breaches with customers and business partners.

  1. Internet of Things (IoT)

From sensors located in production systems and delivery vehicles to algorithms to monitor the performance of products, IoT devices have revolutionised the way companies operate and understand their customers and products. In fact, research from network security business Juniper estimates that the number of IoT sensors and devices is set to exceed 50 billion by 2022[4].
However, organisations are already mindful of IoT related threats and their potential impact. According to a study by the Ponemon Institute, 84% of companies predict that unsecured IoT devices are likely to cause a data breach in their organisation[5]. To combat this threat, companies will need to ensure that their devices are securely configured. Many IoT risks are a result of devices developed by manufacturers with a preference for ease of use rather than security, making them potentially vulnerable to an attack.

  1. Social engineering and phishing

Without adequate training, workers can unwittingly put company data at risk if they fall victim to social engineering, phishing and social media malware. According to PwC, current employees play a part in more security incidents than all other parties, accounting to 30% of all incidents[6].

  1. Supply chains

The Ponemon Institute found that 56% of organisations have experienced a security breach that originated via a supplier[7]. TMT companies with global, complex supply chains seem particularly at risk. It’s essential therefore that organisations implement processes and controls designed to minimise these risks, including working with suppliers to ensure that data is kept safe, for example ensuring that managed service providers only have access to the systems and information they need to provide the service.

A standard solution

In addition to the commercial need to protect confidential information – such as intellectual property and pricing information – there have been recent developments in the regulatory and corporate governance fields that have placed ever more demanding requirements on the privacy of information, especially personally identifiable information.
Working towards and being certified against an internationally recognised standard can help businesses demonstrate the effectiveness of their Information Security Management System (ISMS) and develop the right controls and products to meet the needs of key stakeholders. It also provides an assurance that security issues are being addressed in accordance with best practices.
ISO 27001 provides a best practice framework to identify, analyse and then implement controls to manage and mitigate risks – reducing the likelihood of an information security breach, helping protect information assets and manage the threats posed to an organisation.
By gaining ISO 27001 certification through an independent, third-party accredited certification body, customers can be confident that the businesses they are buying from have adequately identified, analysed and implemented controls to manage information security risks and safeguard their personal data.
To comply with ISO 27001, an organisation must be able to demonstrate that laws, regulations and contractual requirements are identified and that processes are in place to ensure compliance. This has a positive impact on risk management and helps organisations avoid costly fines and reputational damage associated with data breaches.
ISO 27001 is the management system specification that defines the requirements businesses need to address to implement an ISMS and against which an organisation will be audited during the certification assessment. The specification includes the common elements of all management systems; policy, leadership, planning, operation, management review, and improvement. It also contains a section specifically aimed at identifying risks to information and the selection of suitable controls enabling the organisation to compare their selection to best practice (Annex A). So the application of ISO 27001 will give any organisation guidance on how to best mitigate the threats listed earlier.
Central to ISO 27001 is risk assessment which is the foundation on which an effective ISMS should be built. The methodical risk assessment approach of ISO 27001 ensures resources are applied effectively to reduce overall risk and cut costs. It provides the focus for the implementation of security controls and ensures that they are applied where they are most needed, are cost-effective and, just as importantly, are not applied where they are least effective. In essence, the risk assessment process helps businesses to answer the question: ‘How much security do we need?’
Ultimately, third-party certification against ISO 27001 shows that an organisation takes information security seriously and provides a competitive edge to win new business and retain existing customers. For companies operating in the fast-moving TMT space, adequately protecting data isn’t optional – it’s expected and vital to future success.
For more information on ISO 27001 certification, visit https://www.lr.org/en/information-security-cyber/

[1] https://www.pwc.com/us/en/services/consulting/library/consumer-intelligence-series/cybersecurity-protect-me.html

[2] https://www.digitaltransactions.net/attacks-from-rogue-obile-apps-jump-300-and-cnp-fraud-continues-to-boom-rsa-finds/

[3] https://www.skyhighnetworks.com/cloud-security-blog/9-cloud-computing-security-risks-every-company-faces/

[4] https://www.juniperresearch.com/press/press-releases/iot-connections-to-grow-140pc-to-50-billion-2022

[5] https://www.scmagazineuk.com/dramatic-increase-iot-related-data-breaches-due-unsecured-devices/article/1584100

[6] https://www.pwc.com/us/en/services/consulting/cybersecurity/library/information-security-survey.html

[7] https://www.csoonline.com/article/3191947/what-is-a-supply-chain-attack-why-you-should-be-wary-of-third-party-providers.html

About Author: Rob Acker, Quality Manager, Information Security and Business Continuity, Lloyd’s Register.
Rob Aker has over 35 years of experience in software development and information security management systems. Since 2007, he has served as ICT Technical Manager and QMS/ISMS/TickIT/BCMS/TickITplus Lead Assessor for Lloyd’s Register. He has extensive technical experience in information system quality, security, and business continuity as well as conducting business assurance assessments of customer management systems.