29-11-2018 09:00

Is it time your business adopted an Information Security Management System?

For companies throughout the Nordics, cybercrime is a growing concern. Attacks can have a long-lasting impact on companies—from major financial losses to reputational damage. To battle the myriad risks, is it time your company established an Information Security Management System (ISMS)?

Cybersecurity risks for Norwegian businesses are on the rise. Phishing, the use of malware, distributed denial of service (DDoS) attacks and hacking have all gone up significantly since 2016. Yet despite the rising threat landscape, the Norwegian Computer and Data Breach Survey 2018 found that only six out of ten Norwegian businesses have adopted a security framework or management system—the same proportion as in 2016. So why aren’t businesses doing more to defend themselves?

We spoke to cybersecurity expert Hasse Kristiansen, Head of Cybersecurity at KPMG, to find out the benefits of adopting an ISMS to formalise your security rules and processes—and what’s holding many businesses back.


Why implement an ISMS?

Businesses throughout the Nordics are embracing digitalisation. But that means their sensitive data is spread across many assets—employee laptops, tablets, smartphones—and it may be stored in multiple databases, clouds or servers. Business data often travels across several different networks and security layers. And it’s being accessed by hundreds of different employees at any given time.

Payments are becoming increasingly digitalised, and that’s opening new vulnerabilities. The Nordic region is rapidly moving towards a model of real-time payments across international borders. And with the introduction of open banking regulations, many businesses are choosing to share their bank account data with third parties to help them manage their payments or finances.

“Big companies are faced with an increasingly complex infrastructure. But even smaller companies may be engaging with hundreds of apps on a regular basis,” says Kristiansen.

Partnerships are also impacting the threat landscape. “Supply chains are growing, and Nordic companies are working with a long list of suppliers, third parties and vendors,” says Kristiansen. “As your partner ecosystems keep expanding, you need to become really good at monitoring and detecting threats on a 24/7 basis.”

Having a robust, unified security framework or ISMS—like that provided by following the ISO 27001 standard—can help organisations stay on top of the situation.

A good ISMS covers the people, processes and technology needed for cybersecurity. And it should take into account the specific risks facing organisations. Because it encourages systematic monitoring of risks, it means businesses can detect security incidents faster, and quickly implement cost-effective measures to minimise the damage.

That’s especially important as the threats you face on a daily basis are constantly evolving. “I’ve worked in cybersecurity for over 20 years, and I’ve seen the threat landscape become much more sophisticated. We’ve seen the rise of DDoS attacks—initially it was just a few hobbyists building botnets, but it’s evolved into huge attacks and lots of critical damage,” says Kristiansen. “Email is also becoming a very effective attack vector.”

Bad luck—or bad processes?

The Norwegian Computer and Data Breach Survey 2018 illustrates the benefits that organisations can gain from adopting an ISMS. Over two thirds (67%) of Norwegian businesses that have experienced a security incident believe the cause was chance or bad luck. But organisations with a framework or management system in place are less likely to blame an incident on this.

This could be because companies with an ISMS or framework have greater insights and better overall visibility of their security. When an incident happens, they’re better placed to pinpoint where things went wrong, and identify what vulnerability has been exploited.

The same study found that businesses with a management system were more likely to discover security breaches through routine monitoring and internal checks. And following a security incident, those with a management system experienced financial losses to a smaller degree.

What’s holding companies back?

Adopting an ISMS seems like common sense, so what’s holding four out of ten Norwegian companies back? Kristiansen says that implementation is far from straight forward. “Establishing an ISMS is a big undertaking. You need to involve lots of people from different departments, get new software and processes in place and produce a lot of documentation.”

“Usually it needs to be scoped down, as trying to implement the ISO 20071 standard across the whole organisation at once is likely to fail. It’s complex and requires so much change management, especially when you’re going after well-established processes.”

Managing this change requires cooperation from all departments, and it’s more likely to succeed if you have an experienced Chief Information Security Officer (CISO). But Kristiansen believes many companies are struggling to employ one. “There’s a big skills shortage when it comes to CISOs and cybersecurity employees in general. In fact, it’s one of the biggest challenges facing organisations today.”

“Companies should actively nurture the talent they need. Consider taking young recruits who are skilled in other IT or technology areas, and bringing them into the cybersecurity field,” he adds.

Despite these challenges, Kristiansen expects to see a big rise in ISMS adoption over the next few years. That’s because ecosystems are becoming more complex—big companies tend to work with numerous suppliers, partners and vendors across different countries. And for these relationships to work they need to build a system of mutual trust.

“An ISMS doesn’t just help you detect challenges earlier. It’s also a system of accreditation. It signals to potential partners that they can trust you and invite you into their ecosystem without introducing significant security threats,” says Kristiansen. “If your company is looking to grow, it’s really something that should be on your agenda—especially as the threat landscape is becoming more complex every day.”

“Even if you have an effective ISMS in place, it won’t guarantee that you are entirely secure,” he adds. “But it will give you better visibility, helping you identify and fix problems faster—and to a certain extent, it shows you are taking security seriously.”