One of the oft-cited objections to putting an effective information security management system (such as that defined in the ISO27001 standard) in place is that of cost. The people cost money, the tools cost money, the internal and external auditors cost money and as for management time, well time is money after all. And often the benefits of security are hard to define, mainly because you don’t know how big a risk it is to not have any in the first place.
Yes, there are reports and surveys that claim to show the true scale of the problem of cyber-crime but, well they’re written by people who want to sell you their products aren’t they, so can you really trust them? The answer is probably no, but that doesn’t mean they’re wrong.
Let me explain….
Let’s think for a minute about the whole area of cyber-crime.
You have some assets in your company which are stored on one or more computers. These assets are worth a lot to you – they could be customer records, product secrets, HR information, financial data etc. and without them you would have a serious problem running your business. Not only that, but the assets may include some things that you don’t want anyone else to know; the information could be useful to a competitor or it could be stuff that would be embarrassing if it leaked on the Internet and became public knowledge.
Now let’s add to this picture that fact that most hacks nowadays don’t advertise their presence; gone are the days when a skull would flash up on screen saying “you’ve been hacked!”. No, it’s likely that if you have been hacked you probably don’t know it. The first you might know is when the hacker uses the information they have stolen for a purpose such as extortion or embarrassment.
Let’s say you get lucky and you find out that someone has accessed your systems illegally. Would you know what they have taken? Possibly not and you may have to assume the worst case. Can you track them down and get them arrested? Well, even if you were to prioritise forensic examination over fixing the problem as quickly as possible, the chances of the trail leading to the right person are quite frankly remote.
So no justice there.
Then there’s the question of whether you tell anyone. This is where reputation comes in. The harsh truth about the consequences of a loss of reputation after a successful hack (or even an unsuccessful one) is that it will probably sink you. Think about how you would react if you found out that a company you dealt with had lost your data; you would probably look elsewhere to meet your needs, particularly if similar suppliers are plentiful and competition is fierce.
A company that suffers such a public breach might survive if they are big enough and have sufficient reserves…just. But how many smaller companies would make it past the sudden lack of customers? The sad fact is that, once lost, trust is a very hard thing to regain. In most countries today there’s no legal obligation (yet) to report breaches of security to the authorities. Let’s face it, you’re probably not going to tell anyone.
So in essence:
In terms of risk what we have is an iceberg – an increasingly large visible top of public security breaches with a potentially massive hidden expanse below the water. How big an expanse? No-one knows. And in terms of impact we have an almost Armageddon scenario where a loss of trust sends your business under at a rate of knots. That’s the kind of risk I would take seriously. So yes, good security is a cost. But bad security is so much more expensive.
The ISO27001 standard gives you the tools to assess and manage your risk so that the chances of your company hitting the iceberg are reduced.
And the CertiKit ISO27001 Toolkit gets you to ISO27001….fast.