ISO 27001: Why a Culture of Security Is So Crucial

Careless handling of information, targeted sabotage, and hacking: For businesses, sensitive data poses a significant potential threat. If it falls into the wrong hands, the financial losses and damage to a company’s reputation can be huge. Yet many security breaches can be avoided when enterprises foster a culture of security that makes employees more conscious of the risks.

When two executives of the Pathé film company received an e-mail request from their CEO to wire funds for a purported business acquisition, they thought nothing was amiss. They dutifully transferred the sum of $21 million – to a gang of cybercriminals posing as the company boss. Both managers were fired, every cent lost. Scams such as this one are becoming a common form of crime known as ‘CEO fraud’. According to an FBI public service announcement issued in mid-2018, 78,617 cases of e-mail fraud were reported globally within the space of five years, with losses amounting to approximately $12.5 million.

Yet cybercrime is a pertinent issue outside of CEO fraud. ‘Social engineering’, a favorite among hackers, sees cybercriminals collecting personal data from social media and using it for targeted manipulation. For the most part, they find their way into a company’s IT through its employees. This is hardly surprising given the findings of international studies on information security in the workplace, which show that only around half of employees actively engage with cybersecurity. Many rely on their employers to handle security and take barely any precautions themselves. They are often completely unaware of the sensitivity of the data they are dealing with on a daily basis – such as passwords, contracts, and banking and customer details.

Video: See how easy it is for hackers to gain access through social engineering

Information Security Must Become Part of Corporate Culture

For employees to become more conscious of risks, the concept of security has to be integrated into their daily working environment. Even the smallest of measures can prove effective. IT security experts Stormshield, for example, opt for ‘punishment by pastry’: When an employee leaves the office without locking their PC, they receive an automated e-mail inviting them to treat the team to croissants. However, for the majority of enterprises, the main focus is on IT solutions rather than employees. Information security relies on a fine balance between people, processes, and technology and is the responsibility of the entire organization. But few companies take such a holistic approach to security. This is according to the Cybersecurity Culture Report 2018 from ISACA and the CMMI Institute, in which 95 percent of the approximately 4,800 enterprises surveyed worldwide stated that they had not yet satisfactorily ingrained information security within their corporate culture. Nine in ten of the respondents agreed that a strong culture of security would enhance the profitability of their business. Yet many lack an established approach.

“People count on IT solutions. But social engineering bypasses them. We have to take people and processes into consideration, too.”
Kevin Mitnick,
social-engineering expert, CEO of a security firm, and former hacker

The Information Security Management System (ISMS) as a Conceptual Framework

Foreseeing every security risk and attack scenario is impossible. For this reason, it is essential for companies to make business processes clear and watertight. This calls for each and every process to be documented, risks identified, and concrete security measures developed. It also requires clearly defined responsibilities and access rights. Documentation alone does not prove that processes are secure. Enterprises must disclose their documented processes and approve them for certification by external auditors. Only then can they achieve ISMS certification. To this end, there are established standards in place – like the world-leading ISO 27001. This sets out a specification for information security management systems. It considers security as part of corporate culture and views the organization as a whole. Every level of the hierarchy and each department can be involved in security measures, with guidelines and training firmly rooted in day-to-day work. Only by fostering a security-conscious corporate culture can an enterprise transform its greatest weak spot into a digital force field. Employees are then able to recognize and successfully repel threats such as CEO fraud.

“Due to the current level of threat, ISO 27001 has established itself as a world-renowned standard. What was once ISO 9001 will be ISO 27001 in the future.”
Peter Suhling,
accredited ISO 9001 and ISO 27001 Lead Auditor