Featured Product
This Week in Quality Digest Live
Operations Features
Constance Noonan Hadley
The time has come to check whether the benefits of teamwork still outweigh the costs
Jeremy L. Boerger
To keep your business running, you need visibility into your IT assets
Naresh Pandit
Enter the custom recovery plan
Anton Ovchinnikov
In competitive environments, operational innovation could well be the answer to inventory risk
Kari Miller
An effective strategy requires recruiting qualified personnel familiar with the process and technology

More Features

Operations News
Major ERP projects take six months longer than companies were told
The Ring Dex 2 filling and capping system is designed to simplify production.
Recent research finds organizations unprepared to manage more complex workforce
Designed for high-volume production environments
Combined company gives manufacturers greater control over output, quality, and sustainability
Enables system-level modeling with 2D and 3D visualization, reducing engineering effort, risk, and cost
For high-volume, parts-cleaning applications
Product placement lends depth to sustainability
Innovative in-line, continuous color-management systems

More News

Ann Brady

Ann Brady’s default image

Operations

Countering Attacks on Cybersecurity

Cyberattacks are costly and disruptive, but an arsenal of standards helps companies stay ahead of the game

Published: Wednesday, May 25, 2022 - 12:01

Cybercrime is on the rise. And as we move deeper into the digital age, the era of the so-called Fourth Industrial Revolution, it’s also growing more sophisticated and severe, with serious consequences. As cyber criminals become more adroit, cybercrime has touched all our lives in one way or another.

Cyberattacks can range from hacking into systems and social media, phishing attacks, malicious software including ransomware, identity theft, social engineering, and denial-of-service attacks. This is painful both personally and financially, causing untold damage and destruction, as well as leaving society and citizens vulnerable. According to McAfee, the computer security software company, the cost of these cyberattacks is increasing and amounted to about $1 trillion in 2020.

A growing global risk

With the Covid-19 pandemic having further embedded our growing dependence on digital systems, it’s not surprising that the Global Risks Report 2022 has yet again included the threat to cybersecurity as one of the growing risks facing the world. Cybersecurity failures, it says, have worsened significantly and threaten long-term prosperity.

But how do we stay one step ahead? Building a good cyberdefense system as well as anticipating threats are key elements in the fight against cybercrime. But neither resilience nor governance is possible without credible and sophisticated cyber-risk management plans. “Cybercrime is both a national and international occurrence that is spreading with great speed, affecting businesses, governments, and society as a whole,” says cybersecurity expert Edward Humphreys. “The scale and complexity of this criminal activity has far-reaching and detrimental consequences, and the situation is blurred as cybercriminals operate, using technical infrastructure, across national boundaries.” 

As a result, he adds, international collaboration is essential, and International Standards are indispensable for global protection. Humphreys speaks from his many years of business experience. He’s also a senior research fellow specializing in cyber-risk, security and cyberpsychology research, and ISMS innovation studies, as well as the ISO/IEC convenor of the working group responsible for managing, developing, and maintaining ISO/IEC 27000, a family of standards on information security management systems (ISMS).

Solutions and controls

International Standards provide solutions, he says, enabling organizations to establish frameworks and systems to assess and manage the situation—to protect information and secure applications, services, and national infrastructure.

The first step in tackling cybercrime is knowing the risks you face and then deciding the controls that must be implemented to mitigate these risks. Humphreys points to standards such as the ISO/IEC 27000 family, developed by ISO and the International Electrotechnical Commission (IEC), as the de facto choice for any organization seeking to build robust solutions against cybercrime. The suite of International Standards specifies a management system that goes into the risk management process of assessing the risks and then determining the controls needed to treat them.

“There are a range of standards supporting ISO/IEC 27001, such as ISO/IEC 27005 on information security risk management and the ISO/IEC 27003 implementation guidelines,” he says. “And there are many other standards that provide technical support for ISO/IEC 27001, for example, to secure networks and embed security features into technology, services, and applications.”

Being prepared

Humphreys reiterates the need for companies to be prepared and ready to face these attacks. “Cyberattacks can take place anytime and anywhere, and what is certain is that these attacks are sure to happen, but we can never be sure when or where,” he says. “Being ready and prepared is an essential business activity for survival. It involves a business having in place a process to be able to anticipate and identify, detect, and report incidents, and to analyze these incidents to decide how to respond to them.” This all must be done in a quick and timely manner to limit the impact the incident could cause.

So how can businesses be better prepared? Once a business detects the presence of a malicious code attack or a denial-of-service attack, the faster it responds with appropriate security measures, the greater the chance of limiting the spread of these attacks as well as limiting their effect and damage. As Humphreys says, there are standards that help businesses to become ready and better prepared to respond, such as the incident management standard ISO/IEC 27035, the standard for business continuity management ISO 22301, and the ICT readiness standard ISO/IEC 27031.

Collective action

In an already uncertain world, cybercrime can be financially devastating, disruptive to business operations and national infrastructure as well as citizens and society. For example, an attack on one part of a supply chain may spread, disrupt, and damage other parts of the chain. To foster more secure and resilient cybersecurity systems, Humphreys says the management of a supply chain is a good example of where collective action is needed across all parts of the chain to keep it secure.

“Again,” he says, “there are standards that help with supply chain security, such as ISO 28000 and ISO/IEC 27036. Collective action is also needed in various scenarios that involve business relationships and communications with other organizations. There is a group of management standards that will help with building resilience to counter business disruption and ensure survivability and system of governance. These include ISO 22301 for business continuity management systems, ISO/IEC 27001 for information security management systems, and ISO/IEC 27014 for information security governance.”

With the growth and dependency on connectivity for business, the infrastructure that supports it, and the use of the internet and mobile devices, there is an even greater need for system security and resilience. Humphreys acknowledges that standards need to evolve to match the rapid advances in technology. “The third edition of ISO/IEC 27002, for instance, was published in the first quarter of 2022. This high-profile standard deals with information security controls and has been updated to match the advancement in technology, business developments and practices, and new laws and regulations.”

In 2021, he adds, there were many other developments in standardization, including internet of things (IoT) security and privacy, big-data security and privacy, artificial-intelligence security and privacy, and biometric information protection. All these are complemented by recent technical specifications such as ISO/IEC TS 27570, which provides guidance on smart-city ecosystem privacy protection, and ISO/IEC TS 27100, which specifies how to create or refine robust cyber systems to protect against cyberattacks. The complete ISO/IEC 27000 family of standards and these technology-focused specifications are the foundation for building and managing a secure future.

First published May 4, 2022, on ISO News.

Discuss

About The Author

Ann Brady’s default image

Ann Brady

Ann Brady is a contributing writer for ISO Focus of the International Organization for Standardization (ISO).