2014 was marked by a huge number of cyber attacks and data breaches – a fact that has positioned cyber security as a key priority for organisations in 2015. Ensuring that an organisation is cyber secure, however, is closely related to its ability to manage cyber risk effectively. Yet, studies in 2014 showed that organisations worry about the increasing cyber threat while also questioning their cyber risk management competence.
Inability to assess threats
The KPMG report revealed that nearly 70% of the respondents are wary of their organisation’s ability to assess incoming threats. Complementing this finding, the results from the Boardroom Cyber Watch Survey 2014 showed that almost 36% of the 240 respondents believe their company was probably subject to undetected cyber attack in 2013, while almost 21% did not know.
Rise of the external threat
The 2014 CISO Assessment, released by IBM in partnership with the Center for Applied Insights, revealed that 80% of the 138 security leaders interviewed have seen the external threat increase in the past three years, while 60% said that the sophistication of attackers was outstripping the sophistication of their organisation’s defences. Half of the security leaders interviewed believe that external threats will require the most organisational effort to address over the next three to five years.
Cyber risks – a severe and persistent danger
PwC’s Global State of Information Security® Survey 2015 has described cyber risk as a “severe and persistent danger”. According to the findings, growth of global security incidents (48%) outpaces GDP (21%) and mobile phones (22%). Moreover, the annual estimated reported average financial loss attributed to cyber security incidents in 2014 was $2.7 million, a jump of 34% over 2013.
Using best practice for managing cyber risks
In order to address the above issues, every company must integrate cyber risk management into its day-to-day operations and be prepared to respond to and recover from cyber incidents and attacks.
The risk assessment process sits at the core of ISO 27001 – the international information security management standard, which lays out the requirements for developing, implementing and maintaining an information security management system (ISMS).
One of the key elements of a risk assessment is to identify the full extent of risks that the ISMS is exposed to, while also pre-empting any potential future risks, such as an organisational decision to move its data to the Cloud in the near future.
Following risk identification, suitable responses need to be determined and implemented (whether to treat, tolerate, terminate or transfer those risks), using a range of controls. ISO 27001 provides a set of recommended controls in Annex A that serves as a checklist (once the organisation’s legal, regulatory and contractual commitments have been applied) to ensure that no control has been overlooked.
If you want to see how ISO 27001 can help protect your organisation from cyber attacks, IT Governance has created four fixed-price ISO 27001 implementation solutions to suit all organisations, whatever their size, sector, location, budget or preferred project approach.
The accuracy of risk assessments is critical
The accuracy of a risk assessment is critical as its outcomes drive information security management decisions. Risk assessments also enable expenditure on controls to be balanced against the business harm likely to result from security failures.
Moreover, companies pursuing certification to ISO 27001 must meet the risk assessment requirements set out in the Standard.
Since it is difficult to carry out a risk assessment some organisations use specialist information security risk assessment tools. One such tool is vsRisk, which provides the complete solution for automating the information security risk assessment, in line with ISO 27001.
Start your risk assessment today and protect your sensitive information from the rising cyber threats!