Information Security has never been more important than in today's day and age. As technology continues to evolve, so do the associated risks with cyber security and also the safe retention and usage of sensitive information.
Consequently, having effective measures in place to keep information safe has never been more important. This is why the ISO/IEC 27000 series on security techniques for information technology was updated, to provide organisations with a thorough and holistic approach to safeguarding your business from information security threats.
ISO/IEC 27001 isn't only about IT and computer systems, it also includes information in any medium: work stations, filing cabinets, storage areas, telephone systems and more.
Information Security in Australia
Cybercrime is estimated to cost Australians over $1 billion each year. These costs are expected to rise. Government, telecommunications, resources, energy, defence, health, banking and finance sectors are likely to remain key targets for cyber criminals, but that doesn't exclude other industries from risk.
The Australian Cyber Security Centre (ACSC) says the cyber threat is undeniable, unrelenting and continues to grow. If an organisation is connected to the Internet, it must take measures to address information security.
Recently, the ACSC undertook the 2015 Cyber Security Survey. Some notable figures in this report revealed that:
- In 2014-15, CERT Australia responded to 11, 733 incidents affecting businesses, 218 of which involved systems of national interest and critical infrastructure. CERT Australia is one of the partner agencies in the Australian Cyber Security Centre (ACSC) and the primary point of contact for cyber security issues affecting major Australian businesses.
- 50% of respondents have experienced at least one cyber incident in the past year. Cyber security incidents were considered to be those that harmed the confidentiality, integrity or availability of a network's data or systems. 8% of respondents were unsure if they had experienced a cyber-security incident.
- Attacks through cyber weak points in common software solutions increased by 125% in 2015. This means that software your business may use is being targeted more often now to steal sensitive information. Assessment of all vendors used for software solutions is a necessary step to preventing information breaches.
- There has been a significant surge in the number of ransomware (a type of malicious software designed to block access to a computer system until a sum of money is paid) incidents with four times the number of respondents reporting in 2015 (72%) as compared to 2013 (17%).
- Spear-Phishing campaigns targeting employees increased 55%. Spear phishing is a way that hackers email individuals or businesses, appearing to be from someone you know. These attacks are becoming more and more sophisticated, using legitimate email addresses and attachments.
It is estimated that spending on information security of critical infrastructure in the Asia-Pacific region will reach $22 billion by 2020. This presents a growing opportunity for Australia's information security industry. Businesses are looking to invest in places with skilled workforces, engaged online consumers and simple regulatory environments that support innovation and security. Confidence in doing business online is critical. Getting information security right will mean Australia becomes a location of innovation and investment where all individuals and businesses can protect themselves online.
Why ISO/IEC 27001?
Acting ISO Secretary-General Kevin McKinley has stated that "ISO 27001 has become a common language for organisations to protect their information and is now a leading standard for international certification in information security".
Industry organisations are encouraged to adopt a risk-based approach to information security. ISO/IEC 27001 can enable an organisation to identify and prioritise threats and respond efficiently to mitigate vulnerabilities.
The ISO/IEC 27000 series on security techniques for information technology provides a very flexible and effective framework to addressing information security. No one business is the same and requirements differ significantly between different organisations. ISO 27001 allows for specific tailoring of risks and the appropriate protection necessary.
Having an effective Information Security Management System (ISMS) in place and becoming certified to ISO/IEC 27001 has a vast array of benefits. It requires businesses to identify risks to their information and put in place security measures to manage or reduce those risks. ISO/IEC 27001 is also based on continual improvement, and requires companies to regularly review the effectiveness of their ISMS and ensures they stay ahead of the curve for emerging information security risks.
Why ISO/IEC 27001 and an effective Information Security Management System?
- Ensures companies cover their legal and regulatory requirements for information security
- Company operations have never been more IT system dependent
- Commercially sensitive information has never been more at risk
- Information and processes are increasingly entered in the cloud
- Location-specific risks have been reduced for many types of operations
- 3rd party certification may reduce any need for 2nd party audits
- Gain stakeholder and customer trust that their data is protected
- Expand potential tendering opportunities by demonstrating a high level of information security through 3rd party certification
- ISO 27001 Information Security helps companies prioritise actions most appropriate to their business, today, and as risk profiles.