If you wait until this message greets you at work, a Notebook PC is stolen from a company vehicle, or staff members are working on their own PCs from home, it will be too late. It's not a question of whether your business will be targeted. You're already a target but have been lucky to date.
With more and more data sharing between customers and suppliers, your customers may be nervous about sharing data with you. And especially so, if you are an SME. Indeed, SMEs are a favorite target of cyber attacks as they are considered to be an easier route to major companies' data than targeting them directly.
We're not talking credit card information here; what's at stake is technical data (including new product development), sales data (including marketing plans), and financial data (including future investment plans). And remember, it's not your data that they likely want but the data of your major customers.
It is best to address the issue before approaching new customers. You'll find that potential customers are more likely to seriously negotiate with you when they know you are aware of cyber security threats and have already done something about it.
Many companies say, "We already have ISO 9001. Isn't that enough to keep our customers happy?"
If this is what you think, I respectfully suggest you remove the blinkers and protect your business before it is destroyed.
It’s obvious that companies or organizations like banks or other financial institutions need information security to protect themselves from fraudulent transactions and customers' confidential details and bank card data. It’s not so obvious that in the manufacturing and service industry, information security also matters - really matters!
If you are a manufacturer or service provider and you're wondering whether your company needs ISO 27001 or not, there are six questions you might want to consider ...
Think for a moment about the information supplied by your customers and how valuable that information might be to a competitor of theirs. Some examples of confidential information from customers that you would want to protect include:
How difficult would it be for a determined person to lay their hands on that information?
And the point is: it’s not only your information but also that of your customers and suppliers that may be vulnerable to a cyberattack. While your information may not be of great interest or value, the same may not be true of your customers/suppliers.
Many organizations have access to customers' systems in order, for example, to effectively manage sales order processing and to facilitate timely deliveries.
Ask yourself, is that data protected?
Similarly, your own system may be connected periodically or continuously with your suppliers, And a stream of emails counts here.
What information security controls are in place to protect all the data concerned? Once a hacker has broken into your server, it may be easy to proceed to download or monitor the servers of your customers/suppliers.
If you sell directly to the public, your organization will likely have much personal information, including banking data and credit/debit card details.
This kind of information is not only subject to abuse to steal from bank accounts but also used to set up false identities, get false passports, set up bogus bank accounts, and other abuses for purposes of money laundering, tax evasion, and even facilitating terrorism.
How do you prevent the leaking of these data? Do your information security arrangements comply with GDPR requirements?
Of necessity, you and your colleagues likely have access to your organization's confidential data. That access will be through various devices - conventional workstations, laptop PCs, tablets and hand-held devices, smartphones, etc.
These days, staff members using their own PCs from home is common. Much of the data will be on the devices themselves.
Are there policies and procedures in place to reduce the risk of a security breach? And what about flash drives? Are they banned? Have USB drives on all your computer equipment been disabled?
And then there are delivery vehicles.
What handheld or in-cabin devices are in use, and what security is in place for them? If someone stole a device from a vehicle, how difficult would it be to access the information on the device or, via the device, to access your servers?
What about the laptops and other devices brought on-site by visitors?
Handheld devices used, for example, for stock control in warehouses, depend on Wi-Fi. Is your IT security for Wi-Fi robust enough to prevent a hacker sitting in their car outside your premises from breaking into your system?
Could a stranger look into your premises using, say, a telephoto lens and see something they shouldn't?
Could they walk onto the premises through an open gate, over a low fence, or through a damaged fence? When was the last time you checked the security of the perimeter of your premises?
Do you have access control within your buildings to restrict access to places where highly confidential activity occurs?
But of course, this is all theoretical, isn’t it?
No way!
The Symantec Internet Security Report (Feb 2019) stated that 1 in 10 URLs is malicious,
Supply Chain attacks are up 78% year-on-year, and 48% of malicious emails are Office files. Spear-phishing attacks (via e-mail attachments) were mainly targeted at the Manufacturing industry (20.6%) and Service industry (11.7%) and ahead of Finance, Insurance, and Real Estate organizations (11.6% combined).
Some cyber attack examples for 2020 include:
Apr 2020: Over 500,000 Zoom accounts were offered on hacker forums hosted on the dark web. Some are going for less than a US cent apiece, while others are given away for free.
Note: For information on the latest and largest data breaches worldwide, visit.information beautiful.net
Click on the image on the left to see the table in full size or click the button on the right to see the full GDPR Advanced course
Some companies think that because they are relatively small, no one would be interested in launching a cyber attack against them. If you are one of them, you are treading dangerous waters.
If you have been keeping up, there are continuing stories in the media of a multi-story office block in Beijing, operated by the Chinese Military, whose sole function is electronic industrial espionage.
Reputedly, they target small and medium-sized enterprise (SME) suppliers of multinational companies (their actual target) as they expect SMEs to have less secure information security systems in place.
Theft of technical information rarely gets publicity because of management embarrassment and the lack of a legal obligation to publicize the loss (unlike with personal information).
You don’t wait for the attack to occur.
You probably wouldn’t recognize it when it happens, anyway. Chances are, you would only become aware of it after it seriously impacted your business, your customer’s business, or your supplier’s business. In any case, when the damage has already been done and, likely, is not reversible.
You need to evaluate the threats your business faces. Then, sufficient controls and precautions should be put in place to reduce the risk overall to an acceptable level.
The problem usually with projects tackling amorphous subjects like 'risk' is knowing where to start. This is where ISO 27001:2013 comes in. ISO 27001 sorts this out for you by providing a logical framework to tackle information-related risk.
With an Information Security Management System in place, you’ll be able to sleep easily at night. And so will your customers and suppliers.
You’d never know, but with ISO 27001 Certification in place, they might put more business your way, confident that you’ll protect confidences.
You will need the help of a good ISMS consultant. Make sure of their expertise and check out their previous work.
ISO 27001 is not a simple variation of ISO 9001. It has very different requirements, with many mandatory controls required and many subsidiary standards that may apply. An expert will be well worth the investment.
And remember, just because you're paranoid doesn’t mean they’re not out to get you.
It's not just in-house that you need to take steps to prevent information loss or compromise. It's your entire Supply Chain.
Many of you reading this will be routinely involved in Supplier Audits (and usually against the requirements of ISO 9001).
But is the vulnerability created by sharing information and other assets evaluated? Do you consider the damage that misuse of your data could trigger?
‘Property belonging to external providers’ is a heading that will be included in all of your supplier evaluations, not least because your organization owns that property as the external provider. But does consideration go beyond protecting that property and preserving its identity and traceability?
Does the question of protecting the data and information associated with that property get discussed?
The commercial value of data and the value of intellectual property will vary considerably from case to case. However, there will be situations where the loss of data/information or actions preventing its use may have severe consequences for your business. Your preparation for a Supplier Evaluation should include a risk assessment regarding information security.
Here are some points for you to ponder:
Could prototype products be photographed or be interfered with? How secure are the buildings? Would you happen to know if access is controlled? How secure is the perimeter of the premises?
Are new staff members trained on what to do/not to do as part of induction training? Is there a tidy desk policy that’s implemented? Is there a B-Y-O-D (bring your own device) policy that’s implemented? Do audits take place regularly to confirm the maintenance of these arrangements? When talking to staff, is their awareness of the importance of information security apparent?
I’ll stop now, hoping I’ve got you thinking about all the valuable data and products you share with your Suppliers and how you ask relevant questions when you visit them.
For a comprehensive list of potential information security vulnerabilities to aid you in constructing a list relevant to our organization, see ISO 27001:2022, Annex A: Reference control objects and controls.
To get an insight into cybersecurity, there are two sites we’d recommend …
Certification to ISO 27001 -- the Information Security Management System standard -- or other security standards is not required. However, it is strongly recommended that you take information security seriously.
If your business uses formal Working Papers for Supplier Evaluations/Re-evaluations, you should ensure that information security is adequately addressed therein.
You should not allow the carelessness or failure of your suppliers to protect your interests or hinder or prevent your organization from satisfactorily safeguarding your information assets.
This is where you should start on your ISMS Project. Take our ISO 27001 Lead Implementer Course to get the skills and knowledge necessary to, for example, understand whether you will need outside consultancy help (and if so h, how much), be able to pitch the project to senior management, get buy-in, and so on. So, check out the link below, and let's get started! By the way, we also provide 24/7 Tutor Support.
Click on the course you are interested in to learn more about it or see our ISO 27001 overview page to see the full suite.
In
We have chosen ISO 21001 certification because it is based on independent third-party assessment, unlike IRCA and Exemplar badges (which we believe are commercially compromised). It is a ‘university grade’ standard for schools, colleges, and universities to demonstrate competence.
We provide courses for ISO 9001, ISO 13485, ISO 14001, ISO 17025, ISO 27001, ISO 45001, Risk Management, Data Protection and more.