It’s a common misconception that cyber security is all about technology (hardware and software). Technology is obviously a massive part of cyber security, but alone it is not enough to protect you from modern cyber threats.
Cyber security consists of technologies, processes and measures that are designed to protect individuals and organisations from cyber crimes. Effective cyber security reduces the risk of a cyber attack through the deliberate exploitation of systems, networks and technologies. Cyber security is a sub-section of information security.
Effective and robust cyber security requires an information security management system (ISMS) built on three pillars: people, processes and technology.
You may have the technology in place but if you don’t have proper processes and haven’t trained your staff on how to use this technology then you create vulnerabilities.
Let’s look at each of these pillars.
There are two key aspects to the people element of the trinity that you need to consider. First, everyone in the business needs to be aware of their role in preventing and reducing cyber threats, whether it’s handling sensitive data, understanding how to spot phishing emails or the use of BYOD. Cyber security is a business issue and everyone has a role to play. An effective security awareness programme can help reduce the risk of cyber threats aimed at exploiting people.
Secondly, there are the specialised technical cyber security staff. They need to be fully up to date with the latest skills and qualifications to ensure that appropriate controls, technologies and practices are implemented to fight the latest cyber threats. Cyber security staff who don’t stay up to date affect the organisation’s ability to mitigate and respond to cyber attacks.
Processes are key to the implementation of an effective cyber security strategy. Processes are crucial in defining how the organisation’s activities, roles and documentation are used to mitigate the risks to the organisation’s information. Processes also need to be continually reviewed: cyber threats change quickly and processes need to adapt with them. But processes are nothing if people don’t follow them correctly.
Technology is obviously crucial when it comes to cyber security. By identifying the cyber risks that your organisation faces you can then start to look at what controls to put in place, and what technologies you’ll need to do this. Technology can be deployed to prevent or reduce the impact of cyber risks, depending on your risk assessment and what you deem an acceptable level of risk.
ISO 27001 – the standard that advocates the three pillars of cyber security
ISO 27001 is the international standard for an ISMS, and advocates the combination of these three pillars. Creating an ISO 27001 ISMS will ensure every aspect of cyber security is addressed within your organisation.
ISO 27001 is rapidly gaining momentum as the world’s leading cyber security standard, offering robust defences to those who implement it, as well as helping them win new business through their commitment to security.
IT Governance’s ISO 27001 DIY packages enable any organisation to implement ISO 27001 from anywhere in the world. Each package is a carefully selected mix of training, tools and consultancy that help organisations with different internal competencies implement the Standard.