According to Gartner, the volume of cyberattacks increased over 100% in Europe, East Asia, and Latin America in October and November 2020. Canada and Germany each saw a 250% increase. These numbers are incredibly high and inevitably cyber attacks are becoming more and more sophisticated and commonplace.
Cyber Security Breaches Survey -which is a very influential research study for UK cyber resilience tells us that of the 39% of UK businesses who identified an attack, the most common threat vector was phishing attempts (83%). Of the 39%, around one in five (21%) identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack.
Keep in mind that these attacks can be very costly for businesses of all sizes.
These studies beg the question: As an SMB, what can you do to prevent cybersecurity attacks and safeguard your data and critical assets?
Hint: Give your data privacy and information security practices a check-up. Get your ISO 27001 certification.
It is important to recognise that an Information Security Management System (ISMS) that is certified to ISO/IEC 27001 will go beyond just demonstrating to customers and prospects that your organisation has the relevant controls in place to protect sensitive information.
It is actually a great way to achieve an operational and standardised wide approach to information security, complete with external validation from an accredited certification body. What’s not to like?
Several of the ISMS controls that are required to successfully certify to ISO 27001 are centred around asset discovery and inventory (things like end-user devices, software, and all types of IT hardware).
So, for a start, an ISMS will aid you in understanding your attack surface. Think of an attack surface as an end-to-end view of where an attacker could try to enter and exploit vulnerabilities in your organisations IT environment, such as software, or misconfigured cloud infrastructure. This can cause harm or highly impact the confidentially, integrity and availability of data.
The new ISO/IEC 27001: 2022 edition of the standard will be available for purchase in a matter of weeks.
With more focus on cloud-first organisations with remote workforces, the 2022 edition of ISO/IEC 27001 brings the standard into the modern way of working, with some entirely new security controls including Information security for use of cloud services and threat intelligence. It is great to see the introduction of these additional controls given that more than 80% of organizations have experienced a cloud-related security incident over the past 12-month period. (Source).
The release of the 2022 edition will trigger a three-year transition period to give those organisations already certified time to integrate these new themes and control areas.
Gamified and engaging cyber security awareness training programs will yield better results compared with your typical ‘mandatory’ employee training you ask your new hires to complete as part of their role onboarding.
Awareness training should speak to the user who is not familiar with lesser-known complexities of information security, and if you can categorise the training by job function, even better.
This way of thinking encapsulates the 2022 Cybersecurity awareness theme – See yourself In Cyber.
Related to cyber security awareness programs, you should start getting creative with full-scale phishing simulation exercises.
Did you know that last quarter saw a record-shattering number of observed phishing attacks? (More than 1 million in a single quarter), fuelled in large part by attempts to target users on their mobile devices.
Phishing attacks are becoming more difficult spot, with hackers adopting more sophisticated ways to exploit uneducated users within your organisation.
A great way to mitigate the risk of falling victim to a phishing attempt is to keep your users on their toes by conducting ongoing full scale phishing simulation exercises.
It goes something like this…
Imagine a scaled and controlled delivery of a phishing email (disguised as a legitimate business-related email) dropping into all your users’ mailboxes.
Those users who engage with the email -by clicking a link for example (serial clickers!)- will get notified by your phishing simulation solution to say that they have clicked on a suspicious-looking link (remember this is happening in a controlled way).
The user is then made to complete additional cyber awareness training, with a focus on how to spot, and how to report phishing attempts.
This usually happens when your users are on the go or distracted while scrolling through their inboxes on their mobile devices in a queue to get some coffee, or while sitting on a train on their way home from the office.
You probably heard this a hundred times and maybe included more characters or numbers in your passwords. But it might not be good enough, even worse, so far in 2022, ‘123456’ made it to the top spot of the most commonly used passwords list.
Password managers are the way forward. If you use password managers (which are encrypted databases that use complex passwords) this will help you safeguard all passwords without having to remember them in your head.
You can generate very complex passwords -which are incredibly hard to memorize. Once you and your teams start using strong passwords, you have a much better chance to protect your organisation from data breaches.
Strong passwords alone are not enough and should always with paired with multi factor authentication (MFA).
To secure your online accounts and the sensitive data they contain, make sure you a have multi-factor authentication solution in place. When you use MFA, you can protect your account more than just using a username and password all while reducing your chance to get hacked.
ISO 27001 certification brings great benefits. It shows that your company has used the best practice information security methods and of course It helps you gain a competitive edge in the market and lowers the chance of a costly breach. It’s win-win!