Experts around the world are warning about the increase in cyber attacks on businesses. In this country, some of these cyber attacks have been reported, but how many are not reported? The Cybercrimes Act, however, does require companies to report any cybercrime offences to the police within 72 hours and retain all information related to it.
It appears that companies are doing their upmost to protect themselves from cyber attacks, ransomware, and other forms of cybercrime. These are often the larger companies that have more resources. The large international companies represented in the country can lean on their parents for systems, software, and hardware as well as knowledge and information.
Moreover, what are small-to medium-sized businesses doing? I’ve been told that many of their employees aren’t even aware of emails with ransomware. This is worrying.
Many IT and IS departments are doing their utmost to prevent cyber crime. It’s on the table at their weekly and monthly meetings. They send out emails about forms of cybercrime and provide training to employees.
But how often is cybercrime tabled at management meetings? Is it an issue to be discussed at weekly and monthly management meetings? How often does the company’s board deal with the issue of cyber crime? Is it tabled once a year or quarterly?
It seems that while IT and IS departments are working hard to prevent cyber crime, within the organisations, management is perhaps not addressing it as vigorously. I don’t want to get anyone’s dander up, but although they may say that they do, the reality is often different.
It’s important to have a recognised information security standard in a business. The ISO 27001 is a framework that helps organizations “establish, implement, operate, monitor, review, maintain, and continually improve an ISMS”. A standard like ISO 27001 provides a business with checks and balances, regular testing, and third-party auditing.
The ISO/IEC 27001 standard provides requirements for an information security management system (ISMS), according to the ISO. It enables organisations of any kind to manage the security of assets such as financial information, intellectual property, employee details, or information entrusted by third parties.
Adhering to a standard such as ISO 27001 is not a cut-and-paste exercise. It is a management system that requires continual and proactive management, much like the business continuity management system ISO 22301.
From the messages and queries I have received, I wish to point out that ISO management systems are not a template exercise. Companies that can afford these management systems should have their own information security and business continuity plans in place. They should ensure that their systems are audited by external third-party auditors who can help them close the weaknesses and gaps in their business.
One thing we can be sure of is that cybercrime is on the increase, and vulnerable businesses without effective systems and measures in place stand to suffer in various ways, especially financially.
Moreover, on this last point, something to bear in mind is the difference between ISO 45001 and ISO 27001. When it comes to the safety standard, companies and their management can be held legally liable (with fines and jail time) through negligence. However, what sanction is there for companies who are hard hit by cyber crime? The losses that are suffered because of cybercrime impact everyone who has an interest in the business, including owners, investors, top management, employees, suppliers, and last but not least, customers.