10 mins read
Though we may think cyber security is being taken care of ‘somewhere else’, the risks are greater now than ever before, making a culture of security awareness everyone’s responsibility
Cyber security has long been the domain of the IT department, managing potential loss or theft of data with firewalls, encryption, and authentications or permissions. However, attacks have become so sophisticated, that businesses must now educate everyone in their organisation to take an alert-but-not-alarmed position, against the threat of potential attack.
In this blog, we will uncover:
- The changing landscape of cyber security and how organisations are impacted
- Why cyber security is more than a compliance requirement and how to take a risk-based approach to its management
- How certification works
- 8 Step Implementation Plan
Download these supportive resources:
The Changing Landscape of Cyber Security
There has been a dramatic shift in global work practices since the onset of the COVID-19 pandemic. Government restrictions forced many to adapt to ‘work from home’ as the new normal and this, in turn, created a range of challenges for corporate cyber security.
Digital transformation was fast-tracked, but the uncertainty of multiple stages of restrictions, along with the use of home WiFi networks, and employees using their own unprotected devices left companies open to a greater range of risks than ever before. An altogether less restrictive (and therefore less protected) corporate environment was created. As a result, there is now an urgent need for all employees to be educated to be actively suspicious when it comes to unusual or concerning communications, alerts, or activity.
How Organisations Are Impacted
The post-pandemic workplace has created significant vulnerabilities in organisations. Opportunities have been created for cyberattacks that have become increasingly sophisticated – from email phishing scams and hacktivists (hackers fighting for social and political issues) to data fraud involving disgruntled malicious employees, and cyberattacks on users of video conferencing services, both through data theft and unapproved access to virtual meetings. The implications are staggering, with not only operations being affected, but companies exposed to any number of legal, compliance and reputational disasters.
Our 2021 Australian business survey found that financial losses (36%) are the biggest fear when a cyber-attack takes place.
Everyone Has A Role To Play
Given the long history of corporate cyber security being ‘taken care of’ elsewhere, the shift that is required for everyone to play their part is considerable. Leadership and management need to lead by example, to ensure the right balance of suspicion and scepticism is developed within the company around digital communications.
View our free infographic ‘Cybersecurity Threats – Is Your Business Prepared for an Attack’, to learn how everyone in the organisation has a role in protecting information security.
View our free infographic ‘Cybersecurity Threats – Is Your Business Prepared for an Attack’, to learn how everyone in the organisation has a role in protecting information security.
Cyber Security – More Than Just Compliance
According to a recent SAI Global survey of Australian businesses (2021), more than 55% of respondents don’t realize they’re vulnerable to cyber security attacks. With a more complex array of risks to navigate, this creates an alarming situation for companies that have spent considerable time and money establishing a reputation of reliability and integrity.
As modern attacks evolve, organisations have more than just their compliance responsibilities to worry about. A privacy breach that impacts people who have invested their trust and confidence (and money) into a company can be very difficult to come back from. Data privacy still sits amongst the highest of priorities, in part due to the introduction of the European Union’s (EU) General Data Protection Regulation (GDPR) in 2018.
According to The Reputation Trust Index, SAI Global’s second annual survey revealed that 75% of respondents “would accept a lower quality product for increased data protection”, while 65% of those surveyed “viewed data privacy as a company’s most important attribute”.
A comprehensive cyber security management system will deliver on three key components:
- Confidentiality – customers must be assured their data is protected and accessible only through approved authorisations.
- Integrity – systems and processes must assure data integrity and deliver on expectations that confidentiality is maintained.
- Availability – customers must be able to access what they need when they need it with the assurance that reliability and privacy are of the highest priority.
A Risk-Based Approach to Cyber Security Management
Businesses had to engage in rapid digital transformation in 2020, as a result of the changing landscape of cyber security. With this comes great opportunity and potential for growth, however, long-term sustainability is entirely dependent on sturdy and practical systems and processes.
A risk-based approach provides a robust, integrated framework that aligns a business’s cyber security with the current status of the company, whilst allowing for improvement and adaption in an environment continually populated by risk. It also secures alignment to global best practices for information security management and as a result, ensures consumer confidence is maintained and continually reinforced.
ISO 27001: A Risk-Based Approach to Cyber Security Management Systems
A risk-based approach brings a systematic structure to managing and controlling risk and ISO 27001 demands organizations implement processes for risk identification and treatment.
Download our free guide to learn more about:
What ISO 27001 is and how it minimises cyber risks The 5 steps to assessing risks Components of an ISMS Why you should get certified
Download our free guide to learn more about:
Understanding Management Systems
A management system can help streamline your business processes, improve business performance, and demonstrate your capabilities to meet customer needs. An effective management system looks at managing and optimising risks, improve performance and transparency, and fuel a culture of continual improvement. This can be achieved by adopting standards and certifying your management systems.
Being ISO certified can provide an immediate boost to your organisation’s credibility and reputation, as well as a competitive edge.
ISO 27001 Information Security Management Systems
Organisations and their information systems are at risk of security threats from sources including; fraud, espionage, sabotage, and natural causes. ISO 27001 enables organisations to align with global best-practice for information security management. It offers organisations a robust and practical framework to assist with the improvement of information security, focusing on the preservation of confidentiality, integrity and availability of information. ISO 27001 meets the DISP requirements for ICT security.
Step 1: Getting Started
- Purchase the ISO 27001 Standard
- Undertake optional training to build expertise
- Implement the Standard
Step 2: Implementation
- Contact SAI Global to discuss requirements, timeframes, and costs
- Review and accept proposal to book audit dates
- Take an optional pre-assessment
- Perform a gap analysis
Step 3: Certification
- Undertake a Stage 1 audit
- Complete a detailed Stage 2 certification audit
- Upon successful certification, display the ‘Five Ticks’ StandardsMark™
Step 4: Maintenance
- Conduct Surveillance Audits annually
- Recertify to ISO 27001 every three years
- Establish a continual improvement culture
Step 5: Optimising Certification
- Market for brand and promotional benefits
- Optimise commercial teams
- Ensure shareholder and stakeholder awareness
8 Step Implementation Plan – the ISO 27001 Management System
Step 1: Project Initiation
Establish a committee of top management and project management to ensure a comprehensive understanding of the organisation’s objectives and context.
Step 2: Define the ISMS
This includes the objective, scope, limits, interferences, dependencies and exclusions & justifications.
Step 3: Conduct a Risk Assessment
Establish a risk assessment framework, develop an asset register with associated threats, Analyse the risk and its impact, and evaluate the risk against the risk acceptance criteria.
Step 4: Risk Management
Determine what the next action should be and what controls need to be implemented. This includes risk reduction, avoidance, acceptance and transfer.
Step 5: Training & Awareness
Educate employees on the management system, including their impact on the organisation’s security and processes.
Step 6: Preparing for Audit
Conduct a gap analysis on the system and processes to determine its conformance to the ISO 27001 standard, and address any corrective actions required.
Step 7: Certification Audit
Your third-party independent Certification Body will conduct the certification audit and determine whether your organisation conforms to the ISO 27001 Standard
Step 8: Continual Improvement
Measure, monitor and review the management system through an effective internal audit program, to identify areas of improvement.
In our 2021 Australian business survey, 47% of respondents believe in training and upskilling their people to identify and manage potential cyber threats and 40% believe in having the best and most updated technology to improve risk mitigation.
Improve Business Creditability with 5 Ticks
Only organisations certified by SAI Global have access to display the highly regarded ‘Five Ticks’ StandardsMark™ on a product or management system.
In fact, 70% of consumers said they used quality indicators such as the 5 ticks logo to help them to select products. The recognition in the marketplace gives your customers the assurance that your organisation has undergone a rigorous audit and testing program – with 77% of consumers surveyed agree that the 5 ticks logo meant that a product could be trusted.
Why SAI Global
We’re here to help you build a world-class, globally competitive and sustainable Australian Industry today.
With over 25 years of experience and a global reputation built on first-class delivery and technical support. SAI Global’s partnerships are supported throughout their assessment and certification process – while making the process as seamless and simple as possible.
Adding value is at the core of our business and our processes. Let us show you how assessment and certification can add value to your business.
Australia-wide, delivering over 60,000 audits each year, your local SAI Global team is equipped to support your unique requirements.