When organisations are deciding what steps to take to prevent and respond to data breaches, they might immediately focus on the threat of hacking. After all, it seems as though every incident you hear about is caused by cyber criminals.
However, the range of threats organisations face is much broader than this, encompassing anything that can adversely affect their information systems, including the theft, destruction, disclosure, modification or unauthorised access to data.
There are many ways this can happen, so we’ve broken down the threats into two broad categories, along with examples of the sorts of threats organisations face.
Any way in which someone might misappropriate an organisation’s data.
1. Cyber criminals: According to a government survey, almost half of British businesses were targeted by at least one cyber attack in 2016. The types of attack ranged from criminals sending a phishing email to elaborate state-sponsored attacks.
Whatever way an organisation is attacked, the threat can be mitigated by following good cyber security practice, i.e. having an information security management system in place, regularly applying patches, teaching staff about socially engineered attacks, etc.
2. Malicious insiders: An organisation’s own staff is often its biggest security weakness. Employees might steal data for any number of reasons, although the most common motives are revenge (if they believe the company has wronged them) or financial gain (by selling the data).
It’s hard to prevent insider breaches, because almost any employee is a potential threat. Organisations are therefore advised to put in place access controls to limit the amount of information any one employee can view.
They might also wish to put in place policies restricting the use of removable devices. This will make it harder for employees to copy information without leaving a trace (in a way that emailing information would).
3. Unintentional breaches: Sometimes, organisations or employees might expose information inadvertently. For example, they could lose a removable device, forget to password protect a database or transfer information that they didn’t realise was confidential. Organisations can prevent unintentional breaches by making their staff aware of their information security obligations.
Damage to an organisation’s business environment.
4. Technological failures: Organisations should be prepared for the possibility that their technology might simply stop working. Systems crash, files are lost and documents go missing. If important information is backed up, organisations can avoid permanently losing vital documents, and they can avoid a chaotic recovery by implementing a business continuity and disaster recovery plan.
5. Natural disasters: In some circumstances, it’s easy to anticipate natural disasters. If your business is on a floodplain, you plan against floods. If it’s in an earthquake zone, you plan against earthquakes. Other times it’s not so easy. Anything from strong winds to heavy snow can affect your business, so it’s important to consider the damage that natural phenomena can cause.
6. Infrastructural damage: An electrical fire or a burst pipe can cause the same type of damage as a natural disaster, but they are harder to anticipate. Organisations’ plan for dealing with natural disasters and infrastructural damage will probably be similar (given that the end result is the same), and laid out in their business continuity management system (BCMS).
Be prepared for disaster
Environmental damage is unlike incidents caused by people as it is largely unavoidable and data loss will be an inevitability. As our advice suggests, organisations need to have a recovery plan in place.
ISO 22301 is the international standard that describes best practice for a BCMS.
A BCMS is a comprehensive approach to organisational resilience. It helps organisations update, control and deploy effective plans, taking into account organisational contingencies and capabilities, as well as business needs.
A BCMS also helps organisations cope with incidents affecting business-critical processes and activities, from the failure of a single server to the complete loss of a major facility.
You can gain valuable information on how to implement a BCMS with our ISO22301 Certified BCMS Foundation Training Course. It teaches you the fundamentals of business continuity management, including:
- The benefits of a BCMS;
- The process elements of a BCMS;
- The principles of business impact analyses and risk assessments; and
- The principles of incident response and business continuity management.