Research by IDG Connect shows that 46% of US organizations have experienced malware attacks that severely affected their business operations.
Malware includes nasty threats such as viruses, ransomware, worms, and adware.
The statistics are quite sobering if you consider that 88% of the companies polled spend over $100,000 a year on data security, and 39% spend over $500,000.
It also underscores the fact that security hardware and software are failing to prevent malware from infecting organizations’ systems.
Such security incidents should sound alarm bells for IT decision makers about the efficacy of their existing security structures.
Threats will continue to grow
Companies will increasingly be targeted by ransomware, denial-of-service attacks, and other threats, such as phishing and zero-day attacks. It is clear that companies should evaluate their current security infrastructure to establish how the risk can best be minimized.
Promoting a culture of security awareness and vigilance is one of the critical areas in which businesses should be investing heavily. Employees are often an organization’s weakest line of defense, and without the required skills and knowledge about these risks, the company will not be able to fully protect itself from opportunistic threats.
Encourage better employee vigilance and an improved security culture
- Leadership support
The CEO and top execs must support the security program and be seen leading from the front by visibly promoting an information security strategy. Senior managers must be made aware of the importance of the strategy. Implementing an ISMS (information security management system) that tackles information security across people, processes, and technology is the best way of approaching such a venture.
- The importance and value of information assets
Everyone in the organization should be made aware of the value of the information assets. This includes paper-based data, printed material, memory sticks, contracts, personal data held on local computers, and other ‘non-traditional’ assets that staff often overlook when the term ‘information security’ is mentioned.
- The ISMS must support the organization’s objectives
An overly rigid security strategy can result in the availability of data being compromised. Companies should not shun social media at work, or avoid other business enablers such as the Cloud or BYOD (bring your own device) – that could have a detrimental effect on organizational growth. Instead, a risk assessment should be conducted to establish the full range of threats and risks affecting the business, and then a set of robust controls can be devised to mitigate those threats. An ISMS aligned to ISO 27001 provides guidelines and the methodology for these risk assessments.
- Staff awareness training
An intelligent security awareness program should promote a security culture that trains people in risk-conscious thinking, and will highlight the dangers of common threats lurking in everyday situations, such as social media, phishing scams, and malware.
- Policies and procedures
An effective ISMS includes processes and underpinning procedures, actions, and responsible individuals that set out guidelines for approaching day-to-day business activities with information security in mind.
How ISO 27001 works
ISO 27001 is an information security standard that is globally accepted as the benchmark of best practice. It recognizes the fact that technology alone is incapable of defending against the evolving nature of information security threats.
An ISO 27001-aligned ISMS helps organizations coordinate their security efforts coherently, consistently, and cost-effectively. As an all-encompassing security standard, it also includes measures for effective surveillance, continual improvement, and maintenance – all contributing to the development of a culture of security throughout the organization.
If you are looking to implement ISO 27001, consider the below options:
Get specialist advice from the world’s experts to identify what is required to achieve ISO 27001 certification-readiness. This expert, in-person review of your information security arrangements against the requirements of ISO/IEC 27001:2013 is ideal for organizations seeking to develop a business case and secure budget approval for implementing an ISO 27001-aligned ISMS. Also available online. Click for more information on an ISO 27001 Gap Analysis >>>
Five days of dedicated expertise and specialist knowledge with scheduled coaching and project review sessions from an expert ISO 27001 consultant. The coaching sessions cover each key stage of the ISO 27001 implementation project. Delivered via online methods/Skype/telephone calls/etc., reducing the costs of traditional consultancy and saving you plenty of money. Click for more information on the ISO 27001 mentor and coach consultancy >>>