Information security is defined as the state of being protected against the unauthorised use of information, especially electronic data, or the measures taken to achieve this. It is a subject that is omnipresent in both our personal and professional lives.
Figures indicate that the cost of cyber-crime to all UK businesses could jump by nearly 40 per cent this year due to an increased threat of cyber-crime. The NHS are just one of many organisations to have fallen victim to a ransomware attack this year already. The consequences of poor management of information security can be far-reaching and of great cost. Lost revenue, theft, ruined reputation, lost time and damaged intellectual property to name a few.
We often associate data security breaches with large corporations, as these tend to be the ones upon which the media focuses. However, it is an important but often forgotten fact, that small businesses are just as vulnerable to hacking as large enterprises. Indeed, the consequences can be relatively more devastating for an SME, with sometimes unrecoverable consequences. SMEs are becoming even more of a target for hackers because they can be a back door into large enterprises, who often tend to have stronger protection.
So, if you ask yourself “how do I know I’ve taken the necessary steps to achieve robust information security in my business?” The answer is quite straight forward – measure yourself against a recognised standard.
As a first step, conformance with the government-sponsored Cyber Essentials could be considered. Cyber Essentials, which was introduced in late 2014, is a set of basic requirements to ensure a business is at least reasonably protected from online threats. It requires implementation of the following controls:
- Boundary Firewalls and internet Gateways.
- Secure Configuration.
- Access Control.
- Malware Protection.
- Patch Management.
For further guidance and info about Cyber Essentials, see www.cyberstreetwise.com/cyberessentials. There you will find a quick, self-assessment questionnaire.
While Cyber Essentials is a good starting point, you could also take a wider view. Consider, for example, aspects such as physical threats and how to recover from attacks. With broader information-security protection and management in mind, ISO 27001:2013 considers people and processes. It takes a risk-based approach to information-security management systems. Along with other ISO standards, it is recognised globally as the leading method of providing a framework for ensuring your business operates and remains as safe as possible in terms of information security.
If you want to be a business that takes information security seriously, then obtaining both Cyber Essentials and ISO 27001:2013 certification is the approach to take.