With new data breaches every month, international security standards have never been more important

26 Apr 2023, by Slade Baylis

When you go to see a medical professional to treat or diagnose an ailment or medical condition, it’s usually a good idea to make sure they’re accredited to some degree.  Whilst it’s entirely possible that they have all the skills and knowledge to perform the task, most people would likely choose not to take the risk!  In these cases - rather than taking their word for it - having an external institution assess and attest to the knowledge and skills of an employee or organisation is usually the best way to limit your exposure to risk.

On the security front, with all of the news recently of organisations having their systems broken into left, right and centre - with Optus, Medibank, Harcourts, and most recently Latitude Financial having millions upon millions of customer records stolen – the security of your business and personal data should be top of mind when choosing providers to put your trust in. 

From these incidents, one of the biggest lessons should be that it’s vitally important to make sure your IT providers are assessed on their security policies and procedures – the gold-standard of which is to be accredited by internationally recognised standards from the "ISO". 

Ensuring your cloud-provider is doing the right thing – How security standards protect you and them

With big data breaches like those mentioned above, not only do they cause a massive amount of reputational damage, but the financial impact due to lost revenue or even potential fines and prosecution can also be enormous. For smaller organisations, incidents such as these can be the death-nail in what was previously a perfectly viable and successful business – that’s why it’s deadly important to make sure you’re secure, both locally on your own devices, but also upstream with your providers.

In a recent article called Concerned about all the recent data breaches? Use these tips to protect yourself! we covered the different ways you can secure your local devices and your own IT infrastructure through endpoint protection software, two factor authentication and more.  However, one element that is often overlooked, is the security policies and procedures that your provider has in place.  It’s all well and good if you go to the ends of the earth to protect your own data, but if your provider takes shortcuts that undermine their own security, that information could be just as vulnerable regardless. 

With IBM¹ reporting that the average cost of a data breach in the US in 2022 being 9.4 million USD - this is something not to be gambled with!  Outside of the US, the figures are slightly better, with the average cost of a data breach landing closer to $4.5 million USD - however that’s still enough to put most organisations on shaky ground!

So what can you do to protect yourself from this?  The best way is making sure your provider adheres to internationally recognised standards, as this will provide you with the confidence that your provider has sound governance models in place for managing security throughout their organisation at all levels. 

What are ISO standards? Using internationally agreed-upon standards to ensure quality and results

When it comes to making sure the providers you put your trust in are accredited, you first need to know what the ideal accreditation would look like.  Being accredited only means as much as the expertise and reputation of the ones doing the accrediting.  So, which standards and/or accreditations are valid and worthwhile?  On this front, one of the most widely known organisations for creating international standards for a range of activities is the ISO, otherwise known as International Organization for Standardization. 

Originally beginning back in 1926 as the International Federation of the National Standardizing Associations (ISA), the organisation was originally heavily focused on standards within mechanical engineering.  It wasn’t until October 1946, when 65 delegates from 25 different countries met to discuss the future of international standardisation, that the new global standards body - the ISO - would be formed.  The organisation is constituted of volunteers from around the world and is an independent, non-governmental, international organisation with a membership of 168 national standards bodies.

The stated aim of the ISO is to, through its members, develop consensus-based international standards that individuals and organisations can use to make sure they’re doing things in the best manner possible.  In essence, the idea is that the distilled wisdom of experts in these various fields is able to define the best way of doing something - whether that’s making a product, managing a process, delivering a service, or in our case - making sure the data of our customers is secure!

It's due to this long history, the accrued expertise, as well as the reputation that has been built up over time, that many choose to use the ISO standards as the gold-standard when looking for organisations that are able to achieve what they say they can.

The ISO 27000 Family – Standards for IT security, cyber-security and privacy protection

Like other ISO standards, being certified to the ISO 27000 family of standards – which are related to information security management - allows organisations to ensure that they can benefit from the best practices it details, whilst also allowing them to reassure their customers.  In this 27000 family of standards, the first one is ISO 27001 and it’s the world’s best-known standard for Information Security Management Systems (ISMS).

Though following the ISO 27001 standard, organisations are able to benefit in the following ways:

• Increase overall resilience to cyber-attacks
• Secure information in all forms, including paper-based, cloud-based and digital data
• Ensure organisation-wide protection against technology-based threats
• Provide a centrally-managed framework that secures all information in one place
• Respond to an ever-evolving threat landscape
• Protect the integrity, confidentiality and availability of data

The two most common in this family are the ISO 27001 and 27002 standards – the 27002 covers information security controls, which are related to the controls organisations can choose to implement to build a compliant ISMS. There are also others in this same ISO 27000 family of standards which help in these endeavours - such as ISO 27017 and 27018 – but in short, all of these standards are created to allow organisations to house/store sensitive data in the most secure ways possible.  

As these are the gold-standard when if comes to cyber-security best-practice, we recommend that our clients only use providers that meet this baseline security threshold.  However, these standards should only be one part of your evaluation criteria when looking at which provider to use.

ISO standards aren’t just limited to IT security however - they cover a wide range of industries and fields and the processes within them.  As such, there are many other standards that can be equally valuable for evaluating important aspects of your provider.  For example, there is ISO 31000 which is related to risk management policies; ISO 14001 which is related to setting up effective environmental management systems; and ISO 9001 which helps organisations improve the quality of their products over time to consistently meet their customers’ expectations. 

Overall, the specific ISO standards that are important to you may vary depending on your industry and requirements, though some are useful regardless of business size, activity or sector.  With more and more businesses moving their systems into the cloud - either through moving their physical servers into data centres or utilising fully virtualised solutions – the 27000 family of standards specifically are becoming more and more relevant to more businesses every day.

Following ISO standards is about culture and processes, rather than a marketing gimmick

The intent behind creating the ISO standards is always to help organisations operate in more efficient and secure ways to help deliver better outcomes to their clients and/or stakeholders. This is why adherence to these standards is about integrating these standards into your processes, rather than treating them as a box to check-off or as a marketing gimmick.  It’s through following, living and breathing these standards day-to-day; and by having them integrated into governance and business strategies - that organisations and their clients can truly benefit from the distilled wisdom they contain.

With regards to ISO certification, once an organisation has been certified, they are also required to undergo re-certification audits every three years.  In addition, they must also undergo annual surveillance audits to ensure they remain compliant in order to retain that certification.  In short, what this means is that if your provider is accredited to these standards, you can rest assured that they are following best-practices in that area!

Have any questions about the ISO standards or other ways of increasing your cyber-security posture?

If you want to know more about different ways to improve the security of your IT infrastructure, reach out to us! The path can be different depending on your current size and the systems that you use, but we can help each organisation find a path forward to becoming more secure and improving their overall security posture.

For those interested, you can email us at sales@micron21.com or call us on 1300 769 972 (Option #1).

Sources

1, IMB, “Cost of a data breach 2022, A million-dollar race to detect and respond”, <https://www.ibm.com/reports/data-breach>