The figures of the global survey of ISO management standards showed that over 2,000 Information Security Management System Certificates were awarded to UK businesses in 2018 – a trend that is predicted to remain strong in 2019. When it comes to cyber-attacks, no British business is immune.
In the most recent UK Government statistic released on cyber-attacks, 32% of UK businesses identified cyber breaches in the last 12 months. Data breaches are not solely limited to big businesses, such as Microsoft. Small businesses are affected too. There are thought to be 10,000 cyber-attacks on small businesses each day , often in the form of phishing and ransomware attacks.
ISO 27001 can, and does, play a large part in streamlining the information security processes of an organisation because, through a risk management process, it considers people, processes and IT Systems. And it seems that the upward trend for securing this certification is here to stay.
In the 2018 survey by IT Governance, nearly half of those businesses who responded to the survey felt that an attempted cyberattack on them was ‘likely’, with only a small minority believing that this threat was of no concern.
83% said that they had already implemented a continuity management programme, a key part of ISO 27001, in response to attempted or successful cyberattacks.
ISO 27001 is based on identifying, mitigating and minimising attempted malicious online attacks and, with the average cyber-attack costing anything from £4k upwards, the reason why this remains a strong must-have accreditation is obvious.
Cyber-security is never far from the headlines. In 2017, there was a 25% increase in reported data breaches. The type and nature of cyberattacks on businesses are constantly changing, from malicious malware infecting a system to serious breaches that expose thousands of records to the public.
The true cost can be gargantuan to a company. For example, Yahoo! suffered huge data breaches between 2013 and 2016 and its recent attempts to limit the damage by drawing a line under the compensation it was offering affected users in the UK, US and across the globe failed when a judge dismissed their action. The result is that Yahoo! is still liable to continue paying its users for a serious breach in cybersecurity.
In 2013, all 3 billion records at Yahoo! were breached and, with news that Facebook store user phone numbers on an unprotected server, many consumers and users are now starting to ask pointed questions about why companies need their details and how this information will be stored, used and archived. More importantly, people are asking how companies keep their data safe.
The 2018 IT Governance survey results confirm this, with 81% of respondents stating that in the last 12 months, they had been asked to confirm what their information security arrangements were and to prove their robustness.
This trend could continue, especially as the legal and regulatory rules governing information storing and handling continue to increase.
But there were other reasons why ISO 27001 remains a popular accreditation choice. 52% of respondents said that complying with legal and regulatory requirements was a key driver. 57% said they also opted for ISO 27001 as they believed it would sharpen their competitive edge.
Overwhelmingly, however, 72% said that the main reason for pursuing ISO 27001 certification was to ‘improve information security posture’.
The benefits that businesses felt ISO 27001 had brought them confirms this, with 89% claiming that it had worked to improve internal information security processes.
There were other benefits listed too. Nearly a third of those questioned said that they felt ISO 27001 accreditation has helped to retain customers – perhaps linked to the fact that almost half of businesses had been asked to prove their information security credentials.
‘Client demands’ surfaces time and time again in the survey results, along with improving business reputation and staff awareness around information security.
ISO 27001 remains one of the most popular information security management certifications offered globally – a sign of the digital age in which we live.
But information security doesn’t come without its issues. Half of those questioned said that ‘getting staff buy-in’ was a major stalling factor, with 44% also saying that lack of IT expertise within the organisation hindered the process.
Understanding how to implement the security measures required also figured prominently, as did budget.
All of the issues mentioned could be solved with the right steps and upskilling and some organisations were already taking steps to remedy them. For example, of those that mentioned lack of expertise, half said that upskilling staff was happening or about to happen.
In terms of budget, the majority spent between £5k and £20k achieving the ISO 27001 certification, a process that took on average 6 to 12 months to complete.
On the upside, 50% said that what they paid in total costs was worth it. Only 1% said costs were prohibitive.
From fines, to compensation, to loss of business reputation; the cost of a data breach is significant. Spending £5k to £20k on a valued and globally recognised accreditation such as ISO 27001 is a small investment in comparison.
And with experts suggesting this upward trend is here to stay, we are seeing more charities, businesses and organisations coming on board in 2019.
Matt Stacey is Managing Director of QMS International Ltd, one of the UK’s leading ISO Certification bodies.
Over the last 25 years, QMS International has helped implement over 20,000 Management Systems in organisations of all sizes.