Every day we hear more and more about cybercrime in the news. In March, the Chinese government was discovered hacking Google to steal years of surveillance data and spying information from American Law Enforcement. Several American universities have been reporting daily cyberattacks into the intellectual property and patent information the schools poses. The nine-day DDoS cyber-attack on Spamhaus, a European anti-spam organization, resulted in significant traffic-slowing of the internet from London to Hong Kong affecting millions of users.
As the data transfers increase exponentially, so does the risk of cybercrime. This should not surprise any of us who spend a majority of our lives online. We use the internet at work, we use our smartphones to keep us connected while on the go, and after we arrive home, we plug into the matrix, yet again, to unwind and relax.
Our world is connected and we like it that way. An increasingly important side effect from this information transportation age we are immersed in is that our data is more vulnerable than ever to cybercrime. Furthermore, all this data is being collected, stored and compiled to produce a digital profile of who we are and what we like. This personal information is utilized by big-data companies to assess our habits and preferences, and it is used to predict what we will want to spend our money on.
Some great examples of this are, the ads presented to you by Google, while you type a message using Gmail or search using Google Chrome. Another is Facebook, where a recent study showed that a Facebook user’s sexual orientation, drug use and political beliefs can be accurately inferred simply from the “like” aspect on Facebook. Even Netflix and iTunes use data gathering tactics to assess the movies or TV content you are interested in, and then suggesting similar selections based on your preferences.
The recent revelation that the NSA is monitoring and tracking all information in the United States (PRISM) should come as no surprise. Simply using a device such as an iPhone, iPad, or Google’s Nexus mobile devices is like having a tracking device planted on you, except you purchased this tracker and continue to pay for services that collect more and more information about you, thus improve the tracking accuracy. Furthermore, the security of these devices is becoming more in question as more reports of cybercrime on mobile devices appear in the news.
Data stored anywhere is susceptible to a breach in cybersecurity. That is why the information security relationship between companies and its employees has become a critical element in maintaining a quality information security management system. Protecting company assets, whether they are intellectual property or future strategic plans is everybody’s business.
How do companies mitigate the cybersecurity risks abundant today?
This is a critical question that needs to be addressed by the organization leadership and then established by the everyday users of the company assets. Without the proper plans and procedures in place organizations are more vulnerable to employees unwillingly creating security risks for the company. That is exactly what the cyber criminals are looking for in order to exploit the weaknesses.
An effective cybersecurity risk management strategy begins with identifying the risk based objectives that are associated with the company’s largest threats. Companies have to take into account the acceptable levels of cybersecurity risk involved in doing business and build strategies to mitigate the risks. A set of standards and controls can be established and put in place to simplify and streamline the process.
A few best practices that can help your company establish a more efficient information security risk management road map. Combine or coordinate the physical security controls with the information security controls. For instance, if your company is in the process of preparing for the ISO 27001 certification, creating a strategic plan for the 5.1 (Information Security Policy), 9.1 (Secure Areas) and 9.2 (Equipment Security) will establish a strong company security culture. Another recommendation for information security is establishing guidelines for use of company assets outside of the security network. For instance, banning the use of company technology equipment over networks in specific countries sounds overprotective. However, simply using a public or private network in a country can open your mobile device up to receive malicious cyber weapons and once connected back to the company network, the cyber weapon will distribute itself into the company network. Many employees take some work home to finish, but not in a briefcase. They log into the company VPN and continue working, but improperly secured home networks or devices can still allow access to the company data (ISO 27001: 11.7, Mobile Computing and Teleworking).
New policies are being established by organizations in an effort to control and reduce the risks associated with cybersecurity. Everyone in the organization is responsible for intelligent decision making regarding information security. When a quality security culture is built and everyone is doing his part, then the likelihood of an attack will be minimized.
RM Studio is a tool designed specifically to aid organizations in establishing and maintaining a quality information risk management strategy. The ease of use and automatic links between assets and threats makes RM Studio an easy to deploy and efficient risk management aid. We are here to assist you with compliance of ISO 27001, PCI – DSS, or other international standards. Please check our website for more information or click the free trial to test out RM Studio.