Protect Your Business from Hacking with the Information Security Standard

By Joselyn Biira Mwine

The recent high profile case of the hacking of Stanbic Bank and telecom giants MTN and Airtel has proven the extent of damage to an organisation if information gets into the wrong hands. The so-called Internet of Things – digitally connected devices like appliances, cars and medical equipment – promises to make life easier for consumers. But it comes with a price. The more computerized and dependent on wireless communication we become, the more vulnerable we are to hacking. The late security expert Barnaby Jack exposed weaknesses in pacemakers, insulin pumps and ATMs, showing how everyday objects not commonly thought of as targets can be taken over by malicious third parties. As we speak, many homes contain dozens of networked devices. This includes computers, cell phones and tablets, but also many traditional home products such as refrigerators, televisions, and security systems.

So what does this mean for the future? How alarmed should we be, with all these smart products attached to the Internet? The answer is very. And we don’t have to wait until we experience security vulnerabilities. These weaknesses are already here, and found in webcams and cameras of all sorts – not to mention banking systems, ATM machines, industrial control systems and military drones. With all of these things “hackable”, here is my “red line”. It is one thing to usurp my identity and make unauthorized charges on my credit card. But it is quite another to go after my new-born baby via its monitor or my insulin-dependent father on his glucose meter. Protecting against unwarranted access of software and cyber-attacks, needs to be a priority for both government and business. Bearing all this in mind then, how safe are the businesses that produce our goods and services?

Information security incidents are on the rise as cyber criminals increase their focus on both large and small businesses. The threat landscape of mobile security is moving at a very rapid pace. Mobile hackers are on the prowl, cooperating with cyber criminals to pass on stolen private and business information. What’s more, threats in the mobile landscape are becoming smarter and targeting mobile devices. More and more organizations are embracing online opportunities to promote their business and solidify their position in the marketplace through the use of mobile devices and apps, not to mention social networking sites. In so doing, these companies are magnifying the number and sophistication of threats targeted at them. Today’s companies have no choice but to protect themselves by implementing the Uganda Standard US ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements.

Used internationally since 2005, this standard has helped thousands of organizations around the world boost their information security. Implementing an information security management system will provide your organisation with a system to eliminate or minimise the risk of a security breach that could have legal or business continuity implications.

An effective US ISO/IEC 27001 information security management system (ISMS) provides a management framework of policies and procedures that will keep your information secure, whatever the format. By establishing and maintaining a documented system of controls and management, risks can be identified and reduced. This standard takes into account of past user experiences, improvements in security controls apt for today’s IT environment, namely identity theft, risks related to mobile devices and other online vulnerabilities, and aligns with other management systems. Business boom and bust Cyber security is not just an IT challenge, it is critical to the running of any business.

The benefits of using a framework for managing cyber risks cannot be overstated:

  • Protecting information from getting into unauthorised hands
  • Ensuring information is accurate and can only be modified by authorised users
  • Assessing the risks and mitigating the impact of a breach
  • Increased reliability and security of systems and information
  • Improved customer and business partner confidence
  • Increased business resilience
  • Alignment with customer requirements
  • Improved management processes and integration with corporate risk strategies

To tackle the cyber problem, we not only need more robust technical solutions, we need management solutions to improve the business processes to handle the risks to confidentiality, integrity and availability of information and, very importantly, to improve the awareness and skills of staff and users to achieve this protection. US ISO/IEC 27001 can help companies improve their defences against cyber-attacks and, in turn, enable businesses to offer better security in the services they provide their customers. As a result, customers will have greater trust and confidence in a secure business partner. Cyber risks cause much harm to online markets by compromising electronic transactions and inflicting costly damage.

Organizations that manage their information security risks through US ISO/IEC 27001 certification are well recognized by the marketplace. There is no doubt that compliance to US ISO/IEC 27001 will enable businesses improve their own approach to all aspects of information security and physical security. In addition to this, particular benefits will be seen in colleague awareness and supplier selection and management.

Thousands of organizations around the world use US ISO/IEC 27001 to manage their information security risks. And in a world increasingly plagued by cyber-attacks and other threats, anything else would be unthinkable. Whether we like it or not, information has become one of the critical commodities in today’s fast-moving interconnected world. Safeguarding our cyberspace is an urgent business issue and one that needs immediate and ongoing attention. In a number of cases, the right security measures can discourage expert hackers and beat opportunists. And US ISO/IEC 27001 is your first line of defence. But standards are only good in as far as they are used. So the next time you go to an ATM, ask yourself this: Did my bank consider the possibility of hacking? Did the company implement US ISO/IEC 27001? If the answer to both questions is no, then maybe you should think twice. Ignorance is no excuse. Standards can be accessed through the UNBS Webstore at www.unbs.go.ug

The writer is the Public Relations Officer at Uganda National Bureau of Standards.