IT Insecurity: It’s Not the Technology

Source: Quality Digest
Author: DNV GL, International accredited registrar and classification society

A new report by Jupiter Research says $8 trillion will be the price tag—within the next five years—of cyber attacks against businesses around the world. Hacks and other forms of digital theft are accelerating despite what would seem to be nonstop efforts by corporations to harden their networks with anti-virus software, network intrusion filters, virtual private networks, vulnerability testing, and all manner of expensive gadgets to keep the bad guys out.

Much of the risk escalation is due to the explosion in mobile devices that once were confined to personal use but now are ubiquitous in the modern workplace. And—let’s face it—the unfortunate fact that cyber crime does, all too often, actually pay. Very few digital intruders are ever caught. This makes prevention disproportionately vital, considering there is virtually no “cure” once the theft has occurred.

Despite all the dazzling technology being used to create information and then defend it, today’s best view of the IT insecurity problem can be found by looking in the mirror. Staring back is a smart, hard-working professional with a job to do. Doing a good job presents, on a daily basis, myriad natural risks to the security of sensitive business information within your own organization and spread across the data streams connecting your company to customers, suppliers, and business partners.

This is precisely the reason more organizations are embracing ISO 27001 certification.

“The greatest challenges to IT security are people, not technology,” says Vicky Hailey, president of The Victoria Hailey Group. “ISO 27001 is not another piece of software that will need upgrading in six months. This is a sustainable management system that forces you to understand your risks—human and technical—within your organization and across your supply chain.”

As any IT security professional will tell you, knowing your vulnerabilities is the first step in protecting your networks and your data. ISO 27001 certification takes that principle to an organizationwide level.

“With ISO 27001, IT security becomes a true business issue, not just a task for the IT department,” says Hailey.

The process of becoming certified to ISO 27001 is similar to the other ISO management systems standards, such as ISO 9001 for quality and ISO 14001 for environmental stewardship. The process involves an audit by an accredited certification body such as DNV GL, and culminates in the issuance of a certificate of compliance.

The kind of self-examination that organizations go through to prepare for their initial audit may in fact be the most thorough evaluation of their IT security profile they’ve ever had.

“Companies throw money and technology at the problem and think that’s it, problem solved,” says Hailey. “The more they spend, the stronger they think their defenses are. Until an employee leaves a laptop in a taxicab, or a busy executive clicks on a spearfishing email. All that money on ‘defense’ has only left you poorer for the difficult task of recovering the data or fighting off a lawsuit.”

Which leads to one of the less known advantages of ISO 27001 certification: Recovering from a disaster.

In today’s connected economy, network disasters are not always digital. Natural disasters in the form of fire, floods, hurricanes, tornadoes, and lightning strikes can cripple sensitive electronics.

“I know of a major company that suffered a catastrophic fire that burned its systems integration facility to the ground,” says Hailey. “The company had received ISO 27001 certification six months before the fire. And based on the disciplines and procedures it adopted as part of their certification, it had its systems back up and running within two weeks, four times faster than it otherwise would.”

This example illustrates the real, bottom-line value of ISO 27001 certification: Better preparation and faster recovery in the event of a problem.

IT Security