229
All Enquiries
please call +44 (0)121 241 2299
A recent article on the BBC news website highlighted an incident at Eurofins, one of the UK’s largest forensic service providers. In June 2019 a ransomware attack severely affected the lab’s ability to provide their services to the Police. Work had to be suspended for seven weeks resulting in investigations and trials being delayed.

A senior manager at the company commented that cyber-crime could happen to any organisation, warning “It’s a threat to society” and all business sectors are vulnerable.

A cyber-readiness report from Hiscox in 2019 found that a significant majority of the firms surveyed reported that they had experienced one or more cyber-attacks with 61% reporting an attack last year, up from 45% the previous year.

The report also stated that the scale of ransom demands has risen, cyber-crime is now an unavoidable cost of doing business today.
https://www.hiscox.co.uk/cyberreadiness

What is Ransomware

Computer-infected-by-ransomware-virusCyber criminals target victims and infect their computers with malicious software. The software locks and encrypts the computer’s data to prevent access to the user. A ransom demand is then made to get your data unlocked. However, there is no guarantee your data will be unlocked after you have paid. More sophisticated criminal gangs target business networks and can cause chaos by encrypting multiple devices at once.

Phishing by hackers is one of the main methods used to gain access to computer networks. Targeting a user with what looks like a legitimate email to get them to open an attachment or click on a link that installs malware on their network and enables hackers to steal usernames and login details. Training for your employees is vital to make them aware of the risks.

Another approach by hackers is trying multiple usernames and password combinations in the hope that one will work so they can gain access to your computer network.

Just as effective is a Denial of Service attack where multiple machines bombard a single host with server requests until the server crashes and leaves your computer network unavailable until a solution can be found.

Cyber-crime protection with ISO 27001 certification

ISO 27001 is an internationally recognised Information Security Management System (ISMS). Certification to ISO 27001 will provide a framework to help you to manage the risks, train your employees, monitor and control your system networks and continually improve your management system. The ISO 27001 certification process will keep all your information assets secure by setting up a framework which would include:
  • Risk assessments covering where your data is stored and identifying any vulnerabilities
  • Training your employees to spot suspicious emails and warning them against opening attachments and links from unknown senders. This is very often the method used by cyber-criminals to spread malware.
  • Improving system security including firewalls, network management, anti-virus protection, access control, asset management, software installation, patch management, password management, back-ups and audits are some of the measures in the framework
  • Process for responding to a cyber-attack to mitigate the damage and repair the system to get you back up and running as soon as possible
  • Reporting, monitoring and logging activities to continually improve your system and keep up to date with the latest requirements.
The ISO 27001 ISMS covers more than just loss through cyber-attack. It also includes data loss or damage caused by natural disasters, theft and mismanagement.

Cyber-crime can have other devastating effects on your business. Legal regulations may have been breached and claims for compensation will have to be dealt with if sensitive information about your customers or suppliers gets into the wrong hands.

The ensuing adverse publicity and damage to your reputation will need to be managed to minimise the effect on your business.

You may have to bring in experts to fix the breach of your computer systems and consider how you will cover any financial losses.

Implementing ISO 27001 will provide a framework for identifying cyber risks to your business and establish processes needed to protect your information assets.
To find out more about the benefits of ISO 27001 ISMS, call one of our team on 0121 241 2299 or request a quote.
Following investigation by the Information Commissioner’s Office (ICO) of last year’s British Airways data breach, where credit card details, travel bookings and logins for customers were accessed, the airline has recently been fined a massive £183 million. BA has 28 days to appeal the ruling which is the largest issued so far by the ICO.

A similar case of stolen records from the Marriott hotel group has resulted in a fine of £100 million subject to appeal by the company.

This shows how seriously the ICO is taking the new GDPR regulations and enforcement of fines to companies that have not demonstrated their commitment to data security. In British Airways’ case “poor security arrangements” at the company were cited by the ICO.

Business man after a cyberattackBusinesses of all sizes must be prepared
Your business may not be in the same league as BA or some of the other giants that have been caught out and suddenly find themselves in the headlines for the wrong reasons. However, the fines are levied on a percentage of turnover. Could your organisation survive a fine of this size?

Copied from: https://eugdpr.org/the-regulation
“Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ are not exempt from GDPR enforcement.”

The following podcast is from Reuters and Barclays bank and discusses some of the fines mentioned above and ways to reduce exposure to cybercrime.



One of the points to come out of the above interview from Paul Henley is that organisations should take matters into their own hands by analysing attacks, managing the process and having a programme in place to fix any vulnerabilities that are identified.

ISO 27001 will provide a management framework to manage and fix vulnerabilities
ISO 27001 is one of a range of internationally recognised ISO standards such as ISO 9001, that organisations can implement to make them more efficient, productive and robust.

Gaining certification to ISO 27001 will provide a management system to help protect your organisation from a cyberattack and a variety of other risks such as natural disasters, mismanagement, human error and corrupted or stolen data.

Risk assessment and risk management is a fundamental part of the assessment process to gain certification. This will entail an expert from within or outside your organisation identifying where vulnerabilities in your network exist and implementing controls, policies and procedures to minimise the risk of a breach.

Another point made in the above interview by Paul Henley was that he would have liked “someone to come up with a whole list of things to consider”. Your ISO 27001 consultant will have been selected for his experience and knowledge of working with other organisations in your industry sector and will be able to implement best practice using the latest information available.

A large proportion of cyberattacks are down to human error which is very difficult to eliminate completely. A management system will help to mitigate the chances of an attack taking place and provide a recovery process should the worst happen by implementing:
  • Risk assessment and management
  • Employee training
  • System monitoring
  • Access control
  • Regular reviews
  • Continuous improvement
This will demonstrate your commitment to minimise risk and limit your exposure to regulatory fines or adverse publicity that could be catastrophic to your organisation.

Call 0121 241 2299 to discuss how ISO 27001 can protect your organisation from the effects of cybercrime.
ISO 27001 is one of the most recognised standards for Information Security Management and is part of the globally respected ISO suite of Management System Standards.

Since the introduction of the ANNEX SL framework, organisations already certified to one ISO Management System Standard will now find it easier to comply with other ISO standards, such as ISO 27001, due to a common clause framework across ISO standards.

Certification demonstrates that you have a robust management system to comply with the latest security, privacy and compliance requirements for today’s digital age.

Suitable for all sizes of organisation
Blue chip companies, global cloud service providers and small to medium sized businesses are aware of the risks of cybercrime and the havoc it can cause an organisation.

ISO-27001-cloud-services-protectionGoogle Cloud is one organisation that has realised the value of regular independent third-party audits of security, compliance and data processing frameworks needed to achieve ISO 27001 certification.

You don’t have to be as big as Google to benefit from ISO 27001 certification. Recent research by Beaming (UK Internet Service Provider) showed that in the UK, small businesses bore the brunt of £17 billion worth of cyber-attacks in 2018. ISO 27001 is as relevant to small businesses as it is to large organisations and provides a framework to protect SMEs from outside attack and internal errors by employees.

With more businesses relying on cloud services, choosing the right provider and assessing how your employees share information requires a high level of control to ensure data is not inadvertently shared with the wrong group of people, or worse, publicly.

Whether you have your own self hosted IT or you rely on cloud-based services, having regular independent third-party audits of your Information Security Management Systems (ISMS) will protect your IT network from a range of events.

ISO 27001 certification
Part of the certification process is to identify the information held, look at the risks and threats and put in place a framework to minimise a breach.

Loss of data can come from many sources and can include hackers, your own employees and natural disasters such as fire and flood.

Having a system of checks and controls will help to prevent a breach and provide procedures to minimise the impact of a loss.

A range of security controls are the backbone of the standard and include (not fully inclusive):
  • Security policies
  • Employee security
  • Management of data assets
  • Access control
  • Encryption
  • Physical and environmental security
  • Incident management
  • System maintenance
  • Business continuity
  • Regulatory compliance
To minimise your risks of falling victim of an inadvertent click on a phishing email by an employee, a deliberate cyber-attack or a natural disaster, call ACS Registrars on 0121 241 2299.
ISO_27001_cybercrime_man_sat_at_computerThe ISO 27001 information security management system provides your organisation with a framework for improving and managing your valuable data.

Cybercrime is a growing problem and will continue to put organisations at risk of a security breach. This could have devastating consequences for employees, customers and business partners.

Many organisations are ISO 9001 certified and see this standard as a basic requirement for doing business and meeting customer expectations for quality and management. Far fewer companies have achieved certification to ISO 27001; however, a data security breach could potentially be just as harmful to your profits and reputation as the quality failure of a product.

Customers expect their data to be protected and if their details get into the hands of cyber criminals, the ensuing adverse publicity and damage caused to reputation, not to mention the cost of fixing the problem, makes the argument for prevention an obvious choice.

One of the latest widely reported breaches involved the Marriott hotel chain. Despite having cybersecurity insurance, the cost is still expected to run into millions over the coming years.
The introduction of GDPR also took data protection to a new level, requiring organisations to comply with the regulations or face large fines.

ISO 27001 provides the framework to mitigate the risks and meet the requirements of the latest regulations.

ISO 27001 benefits
Certification to ISO 27001 which has been audited by a 3rd party such as a UKAS accredited Certification Body will provide the reassurance that the management framework and information protection system you have adopted is robust and regularly audited.

This demonstrates to customers your commitment to maintaining an effective system of controls and organisational processes that will keep their data safe.

It will meet regulatory requirements that may be needed by your own industry and any wider obligations such as GDPR.

ISO 27001 certification will also give you a competitive advantage when you are tendering for new contracts, especially if your competitors do not have such a framework in place.

Why ISO 27001 is needed in your organisation
If your organisation relies heavily on data, you have sensitive data that could be used by cyber criminals, your competitors have ISO 27001 or similar or your sector is highly regulated, you will have to gain some form of information security certification.

If you are going to go through the process of certification, it makes sense to go to the next step and have your information security system audited by a UKAS registered Certification Body. This will provide an independent and impartial assessment of your framework and processes.

UKAS accreditation has international recognition and will ensure your certification is given maximum credibility when it is issued. Certification bodies accredited by UKAS will have been assessed to provide the competence and impartiality required to provide you with a robust framework for now and into the future.

You can find out more about what UKAS accreditation means for your organisation on their website https://www.ukas.com/about

Alternatively, contact one of our fully qualified lead auditors for more information.
There is a lot of confusion over the new GDPR (General Data Protection Regulation) and there appear to be different interpretations being put forward as to how businesses should comply.

GDPRThe new regulation reinforces best practices within the DPA (Data Protection Act) and PECR (Privacy and Electronic Communications Regulations) already in force in the UK.

A major factor that has made organisations take more notice of GDPR than the existing regulations are the significant fines that can be handed out for non-compliance:

Up to €10 million or 2% of annual global turnover of the previous year, whichever is higher. Or, up to €20 million or 4% of annual turnover of the previous year, whichever is higher. *

ISO 27001
Organisations that are already certified to ISO 27001 have a head start to help them comply with GDPR.

Certification will require a robust and auditable Information Security Management System (ISMS). This provides a solid base to meet GDPR.

The route to certification will include the implementation of a range of security and data management processes that are also relevant to GDPR compliance, including:
  • Regulatory and contractual compliance.
  • Risk assessment.
  • Security of systems and data.
  • Reporting of a breach to regulators and individuals affected.
  • Management process and control.
  • Data access control.
  • Encryption of data.
  • Continuous evaluation and improvement.
  • Improved communications to employees and customers.
Benefits of ISO 27001
Compliance with ISO 27001 goes beyond the requirements of GDPR and includes business continuity planning in the event of an incident, improving management processes and increasing profits by:
  • Carrying out risk assessments that will identify where data is held and areas that need to be improved to minimise threats to data security.
  • Giving customers greater confidence, through audits, that their data is being used correctly and is in safe hands.
  • Improving resilience to threats within the organisation and from external sources.
  • Providing effective procedures that will help the organisation to recover following an incident.
  • Improving tendering prospects for new business, particularly Public Sector, when compliance with certain standards are mandatory.
Certification provides proof that you have been externally audited to meet the standard and can give you an advantage over your competitors.

Call one of our team on 0121 241 2299 to discuss how ISO 27001 can help you meet your GDPR obligations.

*https://www.eugdpr.org/key-changes.htm