Cybersecurity

This page explains the current cyber threat landscape, outlines the threats that American organizations face, and provides links to helpful resources—including our four ISO/IEC 27001 implementation solution packages—that will help ensure your organization’s cybersecurity.

On this page:

• The cyber risks you face
• Fighting cybercrime in the US
• ISO 27001 and cybersecurity
• Other cybersecurity standards
• Free green paper: Cybersecurity – A Critical Business Issue
• Cyber resilience

The cyber risks you face

The IT revolution has provided new opportunities and sources of efficiency for organizations of all types and sizes, but these new technologies have also brought an unprecedented level of threat. The National Cyber Security Alliance has found that 60% of small companies go out of business within six months of a cyber attack. With the modern world’s dependence on cyberspace, all organizations must address the issues of cyber threats, cyber resilience, and cybersecurity or face potential disaster.

Cyber risks can be split into three separate areas:

1. Cybercrime: Individuals working alone, or in organized groups, intent on extracting money or data or in causing disruption. This can take many forms, including the acquisition of bank card data and intellectual property or impairing the operation of a website or service.
2. Cyber war: A nation state conducting sabotage and espionage against another nation in order to cause disruption or to extract data. This could involve the use of Advanced Persistent Threats (APTs).
3. Cyberterror: An organization, working independently of a nation state, conducting terrorist activities in cyberspace.

Organizations that would have to consider measures against cyber war or cyberterror include governments, those within the critical national infrastructure, and very high-profile institutions. It is extremely unlikely that the majority of organizations would ever face the threat of cyber war or cyberterror. To most organizations, the main threat comes from cyber criminals.

If you need more information, our bestselling book CyberWar, CyberTerror, CyberCrime and CyberActivism provides a detailed examination of the subject.

Know your enemy

All organizations face one of two types of attack from cyber criminals:

• The attack will be deliberate, because the organization has a high profile and appears to have valuable data (or there is some other publicity benefit in a successful attack).
• The attack will be opportunistic, because an automated scan detects the existence of exploitable vulnerabilities. (Virtually every Internet-facing entity, unless it has been specifically tested and secured, will have exploitable vulnerabilities.)

Known weaknesses

Opportunistic attacks are the most common. First, it is far easier for cyber criminals to use automated scans to look indiscriminately for exploitable vulnerabilities rather than deliberately targeting particular organizations. Second, smaller organizations are far more likely to have weaker cybersecurity postures than their larger counterparts and will thus be softer targets.

Ease of attack

Cybercrime is surprisingly easy to commit. Off-the-shelf hacking software, complete with support services, can even be bought or rented: the Fortinet 2013 Cybercrime Report claimed that an effective Botnet (a network of private computers infected with malicious software and controlled without the owners' knowledge) can be bought for as little as $700 or rented for just $535 per week. Fortinet’s 2014 Threat Landscape Report found the US suffered the vast majority—61.99%—of the world’s Botnet incidents.

The need for a response

Cyber attacks and breaches can cause considerable brand damage and can often cost organizations huge amounts of money. In some instances they can even sink an organization. Effective cybersecurity is not just a prerequisite to safeguarding your operational effectiveness, it can also help you win new business. It is a way of reassuring customers, supply chain partners, and stockholders of your commitment to their safety as much as your own.

Fighting cybercrime in the US

Cybersecurity is a business-critical issue. IT Governance's infographic "Fighting Cyber Crime in the US" shows that there were 1.5 million monitored cyber attacks in the United States in 2013 and that 46% of US companies have been asked for IT security credentials in the last 12 months. Cyber attacks are only expected to increase as more businesses move their data onto corporate networks, mobile devices, and the Cloud.

 

 

ISO 27001 and cybersecurity

In order to achieve a robust cybersecurity posture, today’s organizations have to recognize that expensive software alone is not enough to protect them from cyber threats. The three fundamental domains of effective cybersecurity are people, process, and technology.

ISO/IEC 27001 is the only internationally recognized cybersecurity management standard. It takes a holistic approach to information security, addressing people, processes, and technology and sets out the requirements of an information security management system (ISMS) that can be independently audited and certified by an accredited certification body. ISO 27001 is part of the ISO 20000 family of standards.

Creating an ISO 27001-compliant ISMS will help your organization meet numerous information security-related legal and regulatory compliance requirements, including state data breach notification laws and federal regulations - such as FISMA, the GLBA, HIPAA, and SOX - and international standards like the PCI DSS.

Other cyber security standards

ISO 27032: Guidelines for Cybersecurity

Also in the ISO 27000 family of information security standards is ISO 27032: Guidelines for Cybersecurity. This standard provides guidance for improving the state of cybersecurity, defines stakeholders and describes their cybersecurity roles, and provides a framework for resolving cybersecurity issues, drawing out the unique aspects of cybersecurity and its dependencies on other security domains.

PAS 555: Cybersecurity Risk Governance and Management

PAS 555:2013 defines what effective cybersecurity should look like. PAS 555 takes an approach to cybersecurity that allows organizations to choose how they achieve their specified outcomes, whether through the use of other standards such as ISO 27001 and ISO 27032 or through their own internal best practices.

Click here to see our full range of cybersecurity products and services >>

Free green paper: Cyber Security – A Critical Business Issue

Enter your email address below and we will send you a copy of our free green paper on cybersecurity. It addresses the information security standards that aid the building of strong information security systems—such as ISO 27001, ISO 27002 and PAS 555:2013—and covers the two key factors that comprise effective protection of your information: cybersecurity and cyber resilience.

Cyber resilience

Cyber resilience is a key principle that underpins ISO 27001, describing how an organization's systems and processes are resilient to outside attack or natural disaster. There are four international standards that set out best practices for managing cyber resilience:

• ISO/IEC 27001:2013 (Download)
  This standard provides the specification for an information security management system (ISMS).
• ISO/IEC 27002:2013 (Download)
  This standard details how to go about initiating, implementing, maintaining, and improving information security management within an organization.
• ISO/IEC 27031:2011 (Download)
  This standard deals with how organizations can ensure their IT processes and systems are prepared enable business continuation should an incident occur.
• ISO/IEC 27035:2011 (Download)
  This standard provides a guide to responding effectively when an information security incident occurs.

IT Governance Ltd is committed to the National Cyber Security Alliance (NCSA).