data-decurity

Cybersecurity is a Business Priority

The risk of a cybersecurity breach is high in this day and age. As a business you have a responsibility to protect customer data and to keep company information safe. No longer is ISO 27001 Information Security Management System (ISMS) just a nice thing to have,  it is essential if you take cybersecurity seriously.

Doing business online means you have to guarantee all customer information is secure and that includes credit card information you collect. A security breach can be disastrous to your organisation. One that can cost a lot of money to recover from, let alone the cost to your reputation. There are serious consequences if a hacker breaches your systems. The ISO 27001 certification shows the world you take cybersecurity seriously. The certification process provides a framework that identifies, manages, and controls risks to data and all organisational assets.

Implementing an ISMS simply makes good business sense. Other core activities include allocating security responsibilities to staff for continually managing and assessing the performance of information management through management reviews and internal audits.

Data Hackers Target Businesses

Business data is a target to hackers when it is of value to a third party. Different types of data are more valuable than others and pose different levels of risk to your business. Business data that is at risk includes the following:

  • IT security data such as user names and passwords, the network structure and encryption keys.
  • Financial information such as bank accounts, credit card numbers and expiry dates.
  • Intellectual property which can include marketing material, logos, proprietary software, manuals and other material developed by your business.
  • Personally identifiable information such as contact information and birth dates.

Stolen information has different values such as its use for identity theft and fraud. Intellectual property is valuable when sold to a competitor. IT security data allows a third party access into your computer systems.

Consequences of Data Breaches

Cybersecurity and ISO 27001 accreditation should be a top priority if you want to keep your data safe. It is vital to protect your organisation from the severe consequences of a data breach to not only your company but to your customers and suppliers.

Cybercrime is a big business expected to cost companies $10.5 trillion by 2025. Year by year, there is a higher risk of cyber attack. An Accenture study reported small businesses made up 43% of cyberattacks and as few as 14% were prepared for an attack,  not just big corporate companies are at risk.

Here are some examples of data breaches:

  • In 2019, a NAB worker faced the sack after uploading the data of 13,000 customers to a third party which cost NAB $687,878 in compensation.
  • Victorian hospitals and medical centres faced a cyberattack which caused the postponement of non-urgent surgical procedures.
  • Yahoo’s multiple data breaches between 2012 and 2016, which affected 500 million users, came to light as it was negotiating its sale to Verizon. The sale went ahead at a greatly reduced price and Yahoo paid out $117.5 million in compensation.

No matter the size of your organisation, cybersecurity must be a priority. Contact us for more information about an ISO 27001 certification. We can show you how to protect your information, earn consumer trust, and grow your business so it reaches its potential.

iso27001-computer

ISO 27001 versus ISO 27002

ISO 27001 is the international standard that gives you the framework for an information security management system (ISMSP). You can become ISO 27001 accredited, but there is no certification for ISO 27002. However, you cannot consider the two standards in isolation.

 

What is ISO 27001?

ISO 27001 is a set of guidelines that relate to the security of your organisation’s information. It sets out the requirements to implement ISMS so all your organisation’s information is protected from prying eyes and cyber security incidents. It contains the information you need to implement ISMS as part of your business. For ISO 27001 accreditation, you must:

  • Have an ISMS project team to initiate the project.
  • Complete a gap analysis of your organisation’s information security.
  • Define the scope of your ISMS.
  • Complete a risk assessment.
  • Develop information security policies.
  • Choose and apply security controls throughout the organisation.
  • Develop risk documentation.
  • Hold training to raise information security awareness among your staff.
  • Assess, review, and conduct an internal audit to ensure the controls are effective.
  • Complete an audit for certification.

 

What is ISO 27002?

ISO 27002 is an additional standard that contains more information about information security controls. Where ISO 27001, Annex A only provides little detail of each control, ISO 27002 goes into greater depth for each one. It explains how each control works, its objective and how to implement it.

 

Three main differences between ISO 27001 and ISO 27002

There are three main differences between the two ISO standards. These are:

  • Certification. You can become certified for ISO 27001 as it is a framework for compliance. It is not possible to become certified for ISO 27002 as it only focuses on one element of an ISMS.
  • Level of detail. ISO 27001 only contains an outline of each element for implementing an ISMS where ISO 27002 details security controls in depth. There are other standards within the ISO 27000 family that provide detail for each element of ISO 27001. For example, ISO 27003 provides guidelines for implementation and ISO 27004 covers monitoring, measurement, analysis, and evaluating the ISMS. If all this information were in ISO 27001, the standard would be too long and difficult to work with.
  • Relevance. The key to implementing an ISMS is that not all information security controls are relevant to your organisation.

 

How to begin protecting your information

When starting to plan your ISMS, start out with ISO 27001. Once you have identified your information security controls, refer to ISO 27002 for more insight on how to implement each one.

The whole ISO 27000 family works together, ISO 27001 sets up the framework and the others provide the detail for each ISMS element.

 

If information security is a priority for your organisation, contact us for more information about ISO 27001 certification. We can show you how to protect your information, earn consumer trust and grow your business so it reaches its full potential. 

Security lock on digital devices

Avoiding data breaches with ISO 27001

Cybersecurity is a big concern for all businesses. Data breaches cost big money and loses companies the trust of consumers. People want to do business with those who prioritise protecting their information. How do you protect business data against cyber breaches?

 

 

Cyber criminals targeting small business

The 4iQ Identity Breach Report 2019 found cyber criminals now focused on small businesses with a 424% increase in data breaches since 2017. So having ISO 27001 NZ certification tells the world you take information security seriously. And can be a deterrent.

When you implement ISO 27001, you understand how and what information your organisation collects, stores and uses and your responsibilities. It also means your business has a culture of security where all members of staff take responsibility for information security. ISO 27001 gives you opportunities for continual improvement. By measuring and analysing changes, you can identify risks and opportunities to improve information security across the business.

 

 

Cybersecurity best practices

Cyber criminals are turning their sights to small and medium businesses, probably because they consider them an easier target. So it is important to make sure you have comprehensive cybersecurity policies for staff to follow. And you need everyone to take these policies seriously for them to be adequate. You can have the best software on the market and cybersecurity policies but if no one uses or follows them, they are likely to fail.

 

To protect the organisation from hackers, some cybersecurity best practices include:

  1. Use strong password protection. Use strong passwords that are at least 10 characters long with a mix of lowercase and capital letters, symbols and numbers. Changed them regularly. Also consider using multi-factor authentication for signing into company systems. 
  2. Do not open links, emails or pop-ups from unknown sources. Phishers prey on employees tempting them into opening links, emails or pop-ups that have malicious software embedded. Once someone clicks on it, it can give the hacker access to the organisation’s computer systems. Implement software that blocks suspicious emails and sends them to a quarantine file where you can check their authenticity.
  3. Software updates. Update software, especially security software, when updates become available. Anti-virus software and malware have frequent updates to respond to the latest threats. 
  4. Backing up data. This is so simple but something too many small and medium business do not do. Back up your data. Have a policy that ensures all data is backed up weekly or daily and store a copy offsite. This makes it simple to restore your computer systems and information if there is a data breach.

 

ISO 27001 helps prevent data breaches

ISO 27001 gives you the information security framework to help prevent data breaches. But you cybersecurity strategies must remain agile in response to a changing environment.

 

 

Accreditation helps to:

  • Put clear training policies and practices in place for employees.
  • Identify gaps in security systems to implement solutions.
  • Give a competitive advantage in the industry.
  • Build trust in the organisation.
  • Demonstrate compliance to government legislation and regulations.
  • Win new clients and customers. 
  • Decrease the risk of a cyber-attack.

 

So if information security is a priority, contact us for more information about ISO 27001 certification. We can show you how to protect your information, earn consumer trust and grow your business so it reaches its potential. 

iso-27001-laws

The laws and regulations around information security

In a number of weeks on December 1, 2020 amendments to New Zealand’s privacy laws come into effect. On June 30, 2020 the Privacy Bill, which amends the Privacy Act 1993, received Royal Assent.

The Privacy Bill and Act applies to anyone doing business in New Zealand regardless of where you live. The changes are significant and include:

  • Making it mandatory to report data breaches.
  • Restrictions to cross border transfers of personal information.
  • Clarifying extraterritorial scope.

Mandatory reporting of data breaches

Under the new mandatory reporting, organisations must report data breaches to the Privacy Commissioner and to the individuals affected where they cause or could cause serious harm. The Privacy Act offers guidelines for assessing serious harm such as:

  • What harm affected individuals could suffer.
  • The action taken to minimise the risk following a data breach.
  • How sensitive the personal information is.
  • If known, who accessed, or could access, the personal information after the data breach.
  • What measures were in place to protect personal information.

While you can delay notifying individuals of a data breach in some circumstances, protecting your reputation is not an acceptable reason for a delay.

 

 

Cross-border data transfer restrictions

The Privacy Bill includes restrictions on cross border data transfers. You must have permission from individuals to transfer personal data outside of New Zealand. Before transferring any data, you must also check the receiver has similar privacy standards as New Zealand.

One important exception is when transferring data to a cloud provider. Transferring data to the cloud does not usually mean you are disclosing personal information overseas. This is particularly important as there are currently no cloud data-centres in New Zealand.

 

 

Clarifying extraterritorial scope

The Privacy Act will apply to anything an overseas organisation does as part of doing business in New Zealand. It does not matter from where you collected the information or where the individual resides.

The Privacy Act considers you as carrying out business

  • Whether you have a physical presence in the country or not.
  • Charge for goods and services.
  • Profit from doing business in the country.
 

Enforcement penalties

The amended Act gives the Privacy Commissioner enhanced powers including:

  • Shortening the amount of time you have to comply with an investigation.
  • Penalties for noncompliance increasing from $2000 to $10,000.

The new amendments also introduce the potential for criminal penalties and class actions in some circumstances.

 

 

Are you ready?

December 1 is only a few short weeks away. Are you ready for the Privacy Bill amendments to come into force? You may need to update your information security systems and processes in order to comply.

Contact us now to find out more about the changes and to check whether your organisation will be ready to comply. You need to prepare for the new privacy laws now before it is too late.

Woman using computer

How ISO 27001 Works

ISO 27001 is a risk management standard for protecting your organisation’s information. It is an Information Security Management System (ISMS) that monitors, reviews, maintains and improves how you deal with your information and the data you collect.

Using ISO 27001 NZ allows you to:

  • Identify potential security risks to business information for insight into vulnerable areas.
  • Establish a management system to control how and where you store information and how to use it.
  • Provide a framework for implementing and managing information controls.
  • Manage compliance with regulations and laws.
  • Outline information security processes, policies and standards for the organisation.
  • Maintain a process for managing your information security policy into the future.
  • Inform employees and third party contractors of the risks and process for incident reporting
  • Set objectives for managing information security.
  • Keep IT systems updated with the latest protection.
  • Put in place system access controls.
  • Monitor system and user activities.

 

How it works

ISO 27001 works from the top down. It is technology neutral and uses a risk based approach. Implementing an ISMS means your organisation establishes security controls in a structured manner. Without an ISMS, companies often implement controls for specific situations or as a convention. But these normally only address aspects of IT or data security and soon become disorganised. This leaves other assets such as company paperwork and proprietary knowledge lacking in protection.

Putting an ISMS in place minimises the risk of security breaches that can negatively impact your business. Information breaches will damage you company reputation and can cost you a lot of money when it falls into the wrong hands.

A business that achieves ISO 27001 certification demonstrates it:

  • Protects information from unauthorised access.
  • Ensures accuracy of the information.
  • Ensures information can only be changed by authorised users.
  • Has assessed the risks and put controls in place to mitigate the impact of any breaches.
  • Was independently assessed and meets international standards.

An ISMS does not guarantee that breaches will never occur but it:

  • Increases the reliability and security of your information and systems.
  • Improves customers confidence in your business as it aligns with their expectations and requirements.
  • Increases the resilience of your business.
  • Improves your management processes and integration with corporate strategies.

 

Risk management is central

Risk management is central to ISO 27001. It does not tell you how to protect your information. ISO 27001 provides a framework. You complete a risk assessment and then decide what controls the business needs to protect your information.

A robust ISMS reduces your risks, disruptive activity and costs. It also boosts your reputation and trust in your business.

To discover more about how ISO 27001 works, contact us today. We can show you how establishing an ISMS protects your information.

Hands typing on a keyboard

How to know if your business needs an ISO 27001 Certification

Information and data is the essence of most organisations. It is a source of intelligence that can provide a competitive advantage and drive the success of future plans.

Your data is usually stored electronically so you need to protect it from accidental or deliberate loss. Data and information is a business not an IT problem. The use of ISO 27001 – Information Security Management System (ISMS) gives you a framework to protect and manage critical information and data effectively.

Cyberattacks and data theft are more common than ever, and staff make mistakes. If your business does not have policies and procedures in place, it becomes easy for hackers to steal data. ISO 27001 certification demonstrates your commitment towards minimising security threats and gives customers confidence in your business. Certification improves credibility and your value proposition. It gives customers confidence.

 

You want to avoid potential costs of a security breach

Security breaches have a potential to cost your organisation not only a lot of money but loss of reputation. Implementing ISO 27001 demonstrates your proactive approach to protecting information so if there is a security breach you may avoid heavy fines and penalties.

An ISMS gives you the ability to make informed decisions based on risk management and continuous improvement.

 

You want to maintain data privacy and integrity

All organisations are responsible for maintaining the privacy and integrity of the data collected. An ISMS helps to secure and reduce data breaches. Implementing ISO 27001:

  • Gives organisations storage and access control of data. You can safely use and destroy it effectively using organisational processes and procedures.
  • Ensures the protection of data which reduces the likelihood of clients’ losing trust and suing you for data breaches.
  • Means you have the processes and procedures in place to quickly detect a breach so you can take appropriate action.
  • Allows a systematic approach to identifying, managing and reducing threats to your data.
  • Ensures the integrity of data using access controls, and procedures for backing up and organising data.

 

Information security should be a priority

Information security should be a priority for all organisations. As technology gets smarter, so do hackers. They will stop at nothing to breach and compromise sensitive data to use to their own ends.

You may think you have good control of your information. But how effective these are depends on how you monitor and control your security management processes. A short-sighted approach is having security controls for only specific IT areas. This then poses a threat to assets that are not IT-related. Implementing ISO 27001 overcomes these issues. Certification guarantees customers your organisation uses best practice methods to secure the collection of data and information.

Achieving and maintaining ISO 27001 certification has many more advantages. To find out if your business needs certification, contact our ISO specialists. We pride ourselves on helping New Zealand businesses grow to their potential.