PC PORTAL

Experienced. Trusted. Solutions.

ISO 27001

By

Security for startups: why early-stage businesses can’t neglect this risk

In the early days of a startup, it’s easy to get caught up in the buzz of building a new business. Keeping so many plates spinning – from
fundraising and hiring to shipping product – can mean security sometimes falls off the priority list. But in the face of ever-rising volumes of data breaches and security incidents, it’s a subject that early-stage companies can’t afford to ignore.

That was one of the key themes from a wide-ranging discussion at Dogpatch Labs, the tech incubator in Dublin’s docklands. The speaker was Todd Fitzgerald, an information security expert and Dogpatch member. His ‘fireside chat’, as the event organisers dubbed it, looked at why no company is too small to develop a cybersecurity strategy.

Pragmatic approach

Todd shared insights into a pragmatic approach to cybersecurity strategy and the implications of recent security and privacy breaches. “Any company that doesn’t have cybersecurity as one of their top five risks is really not addressing cybersecurity,” he said.

Recent ransomware outbreaks have shown cybercrime’s huge impact, no matter the size of the victim. FedEx and Maersk each suffered $300 million in damages from the NotPetya ransomware. Data breaches are a growing risk. In 2005, there were an estimated 55 million reported breaches in the US. Now, that figure is somewhere close to 1.4 billion. As Todd pointed out, those are only the ones we know about because victims have reported them.

Startups, in tech especially, often rely heavily on data but that brings added responsibility. “If you don’t know where your data is and you don’t know the privacy laws around it, how can you give any kind of assurance [to customers] that you’re protecting that?” asked Todd.

Strategy vs execution

The moderator asked the obvious question: why should startups care about cybersecurity when they’re concerned about getting product out the door? Financial loss due to ransomware is one reason, and there are many other common security issues a startup needs to think about. Protecting valuable intellectual property is critical. If a startup’s bright idea falls into the wrong hands, a competitor could reverse engineer the code and bring out a copycat product in another market. “It’s the same issues, just the scale is different,” Todd said.

Startup teams can change quickly while the business is still evolving, so another risk to watch is staff turnover. Without proper authentication, ex-employees could still have access to confidential files after they leave the company. Simple carelessness is another potential threat: someone might accidentally delete important code from a server. Startups need to put incident response processes in place in case the worst happens. “There is business benefit to having good security,” Todd said.

For founders with no infosecurity experience, Todd also offered advice on protecting an early-stage company on a shoestring budget. He recommended speaking to an independent consultant who can advise on a cybersecurity strategic plan that reflects the business priorities.

Starting on security

Startup founders can start to familiarise themselves with the subject by reading cybersecurity frameworks like ISO 27001. The information security standard costs around €150 to buy, is easy to read and is suitable for companies of any size. “Walk through it and ask yourself: ‘would I be protected against these cybersecurity threats?’ That will probably prompt you to do a vulnerability assessment against your environment,” he said.

Todd Fitzgerald has more than 20 years’ experience in building, leading and advising information security programmes for several Fortune 500 companies. He has contributed to security standards and regularly presents at major industry conferences. A published author, he wrote parts of his fourth and most recent book, CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers, in Dublin.

The post Security for startups: why early-stage businesses can’t neglect this risk appeared first on BH Consulting.

By

Using ISO 27001 to guide your GDPR breach response plan

Among the many changes GDPR will usher in, one of the biggest for many organisations will be mandatory breach reporting. From May 25, all organisations holding personal data about European Union residents must disclose a breach if it is “likely to result in risk to personal data”.

What’s more, organisations must report such breaches within 72 hours of discovering one. Reacting in such a short timeframe calls for a robust response plan. Unfortunately, experience to date suggests such plans tend to be conspicuously absent. The ISO 27001 Information Security Standard can help.

ISO 27001 can enable organisations to map an incident response plan that covers not just IT, but also people and processes. A good plan will cover the following steps:

  • Detect
  • Contain
  • Eradicate
  • Remediate
  • Recover
  • Review
  • Communicate.

Who implements the plan?

Incident response often falls solely – and unfairly – on the shoulders of the IT team. “It can’t just be the IT person’s job. It has to involve the whole business: this is a business risk and a business issue,” said Brian Honan. He added that GDPR applies to physical information, not just data on IT systems. Brian was speaking as part of a panel discussion on GDPR at the ISO 27001 Ireland event last week.

He recommended that a security response team should include representatives from information security, operations, HR, legal, PR, and facilities management. HR should be involved because if it’s an internal breach, the organisation may need to discipline a member of staff. Recovering from a breach often creates a fraught, high-pressure environment. HR can also play a role by helping to coach employees and manage their time. “Breaches don’t just happen between the hours of 9 and 5,” Brian said.

Involving a legal team is also important because organisations will probably need to deal with the appropriate data protection authority. “Speak the right language to the right people. You don’t want to open a can of worms by saying wrong thing to the regulator,” Brian said.

Sending the right message

Too often, organisations fall back on stock answers like “a sophisticated breach” when there’s little evidence to support the claim. Having PR expertise on the incident response team helps to ensure the organisation’s public statements are consistent, timely and truthful.

Brian also recommended including a representative from facilities management on the team. That’s particularly useful if a breach involved a break-in where CCTV cameras and physical security could prove vital.

“The key thing is, engage early with the business, find out what is important to them. Find out what you need to have in place. Establish relationships. Know who you need to contact in the regulator’s office or the supervisory office, find out what way you will contact them. And other relevant bodies you may need to contact. And think about what external expertise you may need. It’s important that you have those contact details already,” Brian said.

Ensuring transparency

To make sure the response process is repeatable, Brian recommended documenting all policies and procedures. “Transparency is important… It’s very easy to get caught in heat of moment in a breach, but then afterwards, can you recall what happened?”

Data breach notification also brings suppliers under its umbrella since many organisations now outsource their data hosting to third parties. “If your data is in a data centre or with a hosting provider, do you have an agreement in place so that they will let you know if they have had a breach? That’s a new thing to worry about. You may have to report a breach because one of your suppliers has had a breach,” Brian said.

Alerting mechanisms are vital because they can provide the information a response team needs to react appropriately to a breach. The 72-hour reporting window means that you don’t need detailed forensic analysis to start with. That can happen at a later stage. Teams should identify tools or software they will need both to detect possible breaches and to manage the response process. Brian suggested using examples like last year’s Equifax breach as the scenario for a desktop exercise to practice breach response. “If your vulnerability scanner didn’t work, how would you act? Use it as a learning mechanism,” he said.

People power

Staff training can also strengthen an organisation’s ability to spot potential breaches as well as responding to them. Brian referred to the Verizon Data Breach Investigations Report which found that many breaches come to light not via tools but through people noticing something strange. “The number one detection tool we have is our staff,” he said.

The last reason for implementing a breach response plan is simply reputation management. “It’s not that you’ve had a security breach that will damage your brand, it’s how well you respond,” Brian concluded.

The post Using ISO 27001 to guide your GDPR breach response plan appeared first on BH Consulting.

By

Business benefits for ISO 27001 certification, and five steps to making it work

A person marks on their notepad, possibly to write down a password, while their phone and laptop are beside them.Whether you want to reassure a board – or yourself – that your security programme is operating optimally, the ISO 27001 Information Security Standard gives you that confidence. Here are some business-focused benefits to becoming certified, and some tips for making that process run smoothly and successfully.

Choosing to get certified

First, let’s address a misconception: when it comes to certification, size doesn’t matter. It has nothing to do with how large your organisation is. It’s better to think of ISO 27001 in terms of how important you consider your organisation’s or your customers’ data. That could be business plans, financial information, intellectual property, payroll details, or credit card numbers. BH Consulting has certified a three-person company. Another SME client had just 10 employees when it obtained ISO 27001 certification. When a US multinational subsequently acquired that company, it turned out security was the easiest part of the due diligence process because of the certification.

External validation

The main reason I like to recommend ISO 27001 is because it’s an internationally recognised standard of good practices around cybersecurity. It is vendor- and technology-neutral. Being certified to ISO 27001 means you’re being verified at least once a year by an external independent body that you operate your security in the way you claim. That differentiates the standard from other self-regulated standards like NIST 800, for example.

It also helps businesses that regularly sell to larger corporates. The larger the customer, the more rigorous their supplier due diligence tends to be – and rightly so. Security questionnaires now feature regularly in many tendering processes. Third-party risk is a legitimate concern for large businesses – think of how attackers breached Target’s network through a supplier.

GDPR assistance

I have noticed a growing number of companies and public bodies looking at ISO 27001 to support compliance with GDPR. Similarly, ISO 27001 is useful for managing compliance with security frameworks such as the EU NIS directive, or HIPAA.

Cyber insurance is a hot topic right now, and I know of many companies thinking seriously about taking out policies. Some insurers are giving discounts to ISO 27001-certified companies. (Personally, I believe there’s lots of hype around cyber insurance. I think it’s better to spend the money on good defences. Otherwise, it’s like choosing not to put seatbelts in your car, but taking out insurance against a crash instead.)

To sum up the benefits, ISO 27001 takes a risk-based approach to securing information. By definition, any organisation that has undergone the certification process can prove it operates a robust risk assessment process.

Ensuring successful certification

So, with a solid business case for getting certification, how do you ensure the process itself is a success? Here are some points to consider:

  1. Do it for the right reasons: to assure customers, stakeholders or external overseer that you keep data secure.
  2. Do obtain full support from senior management. Ensure they’re bought into the programme and that they provide the right resources and budget to ensure success.
  3. Do get buy-in from all parts of the business. ISO 27001 is an information security standard, not an IT standard.
  4. Don’t chase certification purely to satisfy a sales requirement or for marketing purposes. Otherwise you don’t get the correct level of focus on the standard. Treating it as a box-ticking exercise makes it very difficult to achieve and maintain certification.
  5. Do ensure information security is a regular agenda item on senior management meetings, not just an annual review. Have management actively review and sign off on security policies, and attend security awareness training.

If I’m auditing a company, and management aren’t attending, then I know the company isn’t serious about certification. It shows whether the effort goes beyond lip service to embedding a lasting, mature security culture. In many ways, it’s a classic chicken-and-egg scenario: without full support from management, successful implementation is unlikely. Yet a successful implementation ensures you have full support.

The post Business benefits for ISO 27001 certification, and five steps to making it work appeared first on BH Consulting.