Cyber-attacks are costly, disruptive and a growing threat to business, governments, and society alike. Happily, an arsenal of standards helps stay ahead of the game.
Cybercrime is on the rise. And as we move deeper into the digital age, the era of the so-called Fourth Industrial Revolution, it is also growing ever more sophisticated and severe, with serious consequences. As cybercriminals become more adroit, cybercrime has touched all our lives in one way or another.
Cyber-attacks can range from hacking into systems and social media, phishing attacks, malicious software including ransomware, identity theft, social engineering, and denial-of-service attacks. This is painful both personally and financially, causing untold damage and destruction, as well as leaving society and citizens vulnerable. According to McAfee, the computer security software company, the cost of these cyber-attacks is on the increase, amounting to around USD 1 trillion in 2020.
A Growing Global Risk
With the COVID-19 pandemic having further embedded our growing dependence on digital systems, it is not surprising that the Global Risks Report 2022 has yet again included the threat to cybersecurity as one of the growing risks facing the world. Cybersecurity failures, it says, have worsened significantly and threaten long-term prosperity.
But how do we stay one step ahead? Building a good cyber-defence system as well as anticipating threats are key elements in the fight against cybercrime, but neither resilience nor governance is possible without credible and sophisticated cyber-risk management plans. “Cybercrime is both a national and international occurrence that is spreading with great speed, affecting businesses, governments, and society as a whole. The scale and complexity of this criminal activity has far-reaching and detrimental consequences and the situation is blurred as cybercriminals operate, using technical infrastructure, across national boundaries,” says cybersecurity expert Dr. Edward Humphreys.
Cybersecurity failures have worsened significantly.
As a result, he adds, international collaboration is essential and International Standards are indispensable for global protection. Dr. Humphreys speaks from his many years of business experience. He is also a senior research fellow specializing in cyber-risk, security, and cyber-psychology research and ISMS innovation studies, and the ISO/IEC Convenor of the working group responsible for the management, development, and maintenance of ISO/IEC 27000, a family of standards on information security management systems (ISMS).
Solutions and Controls
International Standards provide solutions, he says, enabling organizations to establish frameworks and systems to assess and manage the situation – to protect information, to secure applications and services, and national infrastructure.
The first step in tackling cybercrime is knowing the risks you face and then deciding the controls that need to be implemented to mitigate these risks. Humphreys points to standards such as the ISO/IEC 27000 family, developed by ISO and the International Electrotechnical Commission (IEC), as the de facto choice for any organization wishing to build robust solutions against cybercrime. The suite of International Standards specifies a management system that goes into the risk management process of assessing the risks and then determining the controls needed to treat them.
The first step in tackling cybercrime is knowing the risks you face.
“There are a range of standards supporting ISO/IEC 27001, such as ISO/IEC 27005 on information security risk management and the ISO/IEC 27003 implementation guidelines,” he says. “And there are many other standards that provide technical support for ISO/IEC 27001, for example, to secure networks and embed security features into technology, services, and applications.”
Dr. Humphreys reiterates the need for companies to be prepared and ready to face these attacks. “Cyber-attacks can take place anytime and anywhere, and what is certain is that these attacks are sure to happen but we can never be sure when or where,” he says. “Being ready and prepared is an essential business activity for survival. It involves a business having in place a process to be able to anticipate and identify, detect and report incidents, and to analyse these incidents to decide how to respond to them.” This all needs to be done in a quick and timely manner to limit the impact the incident could cause.
Cyber-attacks can take place anytime and anywhere.
So how can businesses be better prepared? Once a business detects the presence of a malicious code attack or a denial-of-service attack, the faster it responds with appropriate security measures, the greater the chance of limiting the spread of these attacks as well as limiting the impact and damage. And, as Dr. Humphreys says, there are standards that help businesses to become ready and better prepared to respond, such as the incident management standard ISO/IEC 27035, the standard for business continuity management ISO 22301, and the ICT readiness standard ISO/IEC 27031.
In an already uncertain world, cybercrime can be financially devastating, disruptive to business operations and national infrastructure, as well as affecting citizens and society. For example, an attack on one part of a supply chain may spread and disrupt and damage other parts of the chain. In order to foster more secure and resilient cybersecurity systems, Dr. Humphreys says the management of a supply chain is a good example of where collective action is needed across all parts of the chain to keep it secure.
“Again,” he says, “there are standards that help with supply chain security, such as ISO 28000 and ISO/IEC 27036. Collective action is also needed in various scenarios that involve business relationships and communications with other organizations. There is a group of management standards that will help with building resilience to counter business disruption and ensure survivability and system of governance. These include ISO 22301 (business continuity management systems) and ISO/IEC 27001 (information security management systems) and ISO/IEC 27014 (information security governance).”
With the growth and dependency on connectivity for business, the infrastructure that supports it, and the use of the Internet and mobile devices, there is an even greater need for system security and resilience. Dr. Humphreys acknowledges that standards need to evolve to match the rapid advances in technology. “The third edition of ISO/IEC 27002, for instance, was published in the first quarter of 2022. This high-profile standard deals with information security controls and has been updated to match the advancement in technology, business developments and practices, and new laws and regulations.”
In 2021, he adds, there were many other developments in standardization, including Internet of Things (IoT) security and privacy, big data security and privacy, artificial intelligence security and privacy, and biometric information protection. All these are complemented by recent technical specifications such as ISO/IEC TS 27570, which provides guidance on smart city ecosystem privacy protection, and ISO/IEC TS 27100, which specifies how to create or refine robust cyber systems to protect against cyber-attacks. The complete ISO/IEC 27000 family of standards and these technology-focused specifications are the foundation for building and managing a secure future.
Disclaimer: PECB has obtained permission to publish the articles written by ISO.