I often get asked ”what can I do to never get a cyberattack?” or ”if I implement ISO 27001 will I be 100% secure?” or ”why don’t you invent a product that would make an organisation 100% secure?”.
The last question came from my father this summer, when we were reading about the Petya outbreak in Maersk. It made fascinating reading not least the cost, which was approximately 2 billion Danish Kroner (which is around 240 million British Pound according to my calculation). Certainly not small change for any company.
Maersk has chosen to be quite open about the attack and based on the various news reports, the attack was not directed specifically at Maersk. Maersk was one of many global companies to be hit by a malware later known as NotPetya, distributed through a Ukrainian accounting software called MeDoc, which is used for filing tax returns in Ukraine.
The MeDoc software contained backdoors into the networks of users of the software, which were used by the malware to enter via the software’s automatic update system.
So back to the question…of course I would love to be able to develop a piece of software (or magic potion), that would make a system or organisation 100% secure. I am sure, I would be able to sell many copies of this kind of software. However, I am not sure if this is possible, but perhaps I am limiting myself by having this kind of attitude (at least that is what my father thinks)? On the other hand if I am wrong I would be joining a “club” that includes Bill Gates (640K ought to be enough for anyone.) for example so perhaps not the worst club to join?
In the Maersk case, from what I can understand, they implemented the malware themselves through a system, they trusted. I guess, it would compare to someone successfully hacking the monthly Microsoft update for my laptop.
If you can’t prevent 100% what can you do?
Well, any good information security management system would look at prevention as well as damage limitation (think a knight’s castle where you might get through one line of defence only to find, that other parts of the castle was segregated by other defence lines), detection and recovery.
So, the question becomes, not if, but when will I be a victim of a cyber-attack and how can I best detect the attack, initiate damage limitation and recover to normal business as quick as possible.
This is, where I think, ISO 27001 is a great information security management system. It is using a risk based approach to the investment into information security and it is balancing prevention, detection and recovery. ISO 27001 will help you minimise the risk of a cyberattack as well as help you detect, respond and recover.
In JSC Consultant our approach is:
- All our Senior Consultants have an extensive background in business
- They also have many years of ISO 27001 training, assessment and implementation experience
- No project is the same and hence time is spent understanding the specific situation of the client
- Projects typically include a thorough gap analysis and risk assessment as input for the system design
So, if you are considering ISO 27001 call us now (+44 (0)20 8798 9282) to discuss, how we can help you design and implement a great ISO 27001 compliant Information Security Management System and avoid all the pitfalls.
For further information that might be of interest please also see:
- What is ISO 27001, Information Security and why should you use it?
- Designing ISO 27001 for Business
- ISO 27001 Implementation Checklist
- What is ISO 27001 and why should a company adopt it?
- Who wants 100% information security and a free lunch?