Top managers across the globe view security risk as an essential topic on their agendas. Both board members and executive leaders want to know if their people and data are safe. Maltese businesses are no exception — the rise of cyberattacks is driving local regulators to track different levels of resilience. The MBR, MFSA, and MGA have all released standards on cybersecurity and the protection of digital assets, with strict auditing structures and requirements.
These are also supported at a European level. Bodies such as EIOPA for insurance, the ECB for banking / financial services and EBA for payments have all published their guidelines. The new regulation that will come into force for all businesses operating in the EU continues to shed light on the need to develop a clear strategy. Now more than ever, it is imperative that companies adopt a risk-based approach to cybersecurity to ensure that their processes and technology are safe.
Identify the value and risks to your organisation
According to a 2019 study from the Ponemon Institute, the average cost of data breaches was $3.92 million. Furthermore, the average number of records lost or stolen in a data breach was 25,575. Another report by the Identity Theft Resource Center yielded similar results. In total, there were 1,244 data breaches reported in the United States in the same year. This figure is a 4% increase from the 1,192 breaches reported in 2018. These numbers have been growing steadily in Malta over the past few years. In 2019, the Maltese IDPC recorded over 100 personal data breaches (17 of these notifications resulted in GDPR fines).
Regulation and security follow a principle of proportionality – it is critical to identify the areas of your business most in need of protection. On the flip side, securing those areas that make tempting targets would be the most difficult for attackers to breach. To be resilient, companies must identify, assess and respond to incidents in a short time – and part of that is to understand which processes are most in need of protection. You can do this by using the Pareto principle as a guide. Decision-makers must prioritise their work by listing the most valuable and vulnerable processes.
As a result, organisations should be clear about their defined value. What is the company trying to protect? This question allows you to focus your efforts on the critical areas of the business. Additionally, one must also keep in mind that not all disruptions are equal. Human error and technical issues may both play a role.
Interdependencies between systems cause more significant problems across the board. So, understanding the root cause of incidents can help limit the impact of breaches. An effective response gets you up and running ahead of the competition — reducing the high financial cost of reputational damage.
Why all roads lead to ISO
Once you’ve identified your key business risks, it is essential to have a structure for reporting them and ensuring that errors of omission cannot catch you off guard. The ISO 27001:2013 standard provides a comprehensive framework to protect yourself from vulnerabilities and investigates areas across operations where improvements may be necessary to follow best practices.
The standard has fourteen sections. The first section gives an overview of the information security management system. The second section guides you on how to set up different controls. The rest covers risk management, incident response, business continuity and threat intelligence — covering the full spectrum of security — from digital to incident management. It even goes as far as to tackle on-premise physical security.
While we have been a security company for many years, in 2018, we decided to embark on this journey on the eve of ICT Solutions’ 10th anniversary. Click here to learn more. But suffice to say, it has had a foundational approach on not only how we think about security risk but, far more importantly, the people and processes around them — items often overlooked by businesses that think technology first.
It helps to consider the specific industry when understanding threats and defining value. In Malta, the MBR, MFSA, and MGA offer different ways to improve your security posture. These apply to regulated sectors, such as banking, gaming, insurance and financial services. Having a good mix of experience and qualifications is a must to be compliant. To execute all the required changes, you should be conversant with the ISO 27001:2013 standard.
Track efforts using Key Performance Indicators
In most cases, roughly 80% of the consequences come from 20% of the causes. So, you should add new controls to the backlog based on time, cost and scope. Adopting this approach also makes your security program better positioned to mitigate threats. The following list provides some metrics you can use to measure your progress by the number of:
- Data breaches prevented by intrusion detection
- Malware infections prevented by endpoint detection
- Phishing attacks prevented by email filtering
- Ransomware attacks prevented by backups
- DDoS attacks prevented by web application firewalls
- Social engineering attacks prevented by training
- SQL injection attacks prevented by activity monitoring
There are various potential indicators to gauge the usefulness of security controls. Very often, the ones you select depend on your specific industry or the value you are trying to safeguard. Commercial banks might want to focus on authentication failures and account takeovers. Merchant banks might want to delve into fraud cases, chargebacks and payment failures. The most important thing is to select the ones that will help you measure progress. In our experience, we find that lead and lag indicators can also be beneficial. One assesses whether your controls prevented an incident. The other evaluates whether an incident has already occurred. Both give you a good idea of how effective your security program is.
Foster a continuous improvement mindset
After implementing these guidelines, you should ensure that your maturity continues improving. In the ideal world, your efforts cannot be a one-time event. Like the Kaizen concept, it should be an ongoing process. You can try to make incremental changes as you go along. As noted above, start by applying these to the most valuable and vulnerable processes. Doing so will give you the most impact on your investment.
There are a few ways to keep the momentum going:
- Get commitment from your senior management
- Incorporate security into your business processes
- Make someone in charge of your compliance
- Engage with a managed security service provider
- Provide security awareness training to your staff
So, where do I go from here?
Most organisations we have worked with often show an interest and commitment towards embarking on a framework like ISO to shore up their security (or an industry-specific variation in many cases). Yet, one of the most significant problems we see in many businesses isn’t an issue with their technology adoption but a matter of readiness of processes and ongoing management.
It can be very challenging to train teams to monitor, manage, remediate, inform, consult and take corrective action across an organisation. In many cases, the headcount and process work required can be prohibitive for many companies — as the effort needed to protect and train employees does not always correlate with the size of the business.
That’s why a partner like ICT Solutions can help — with our services, you don’t just get the technology. You also get the people and processes out of the box — with a proven track record, demonstrated methodologies and reporting ready to go and built for your industry — a feature several customers have used to turbo-charge their ISO readiness.
If you want to learn more about the portfolio of security services that can help you on your journey, you can learn more by clicking here. We can help you reduce the time needed to detect and respond to incidents at a much lower cost and business impact than trying to build a system internally.