78% of IT professionals consider negligent or careless employees who don’t follow security policies to be the main reason for poor endpoint security, according to Ponemon Institute.
The research supports IT Governance’s own findings, which are discussed in a recent analysis of data breach contraventions in the UK. The findings show that a third of Data Protection Act (DPA) contraventions were due to personal or sensitive data being inappropriately disclosed or sent to the wrong recipient, while a quarter were due to the loss of data or a mobile device.
The threat of employee errors and the lack of common processes underscore the critical importance of people and processes in sustaining an effective information security system.
With BYOD (bring your own device) becoming more common in the workplace, personal devices connected to the network is another major reason for poor endpoint security, according to Ponemon Institute’s research, followed by the increased use of Cloud applications in the workplace.
Malware has also increasingly become a problem, often stemming from targeted attacks such as phishing and spear phishing.
According to a recent Alcatel-Lucent report, approximately 11.6 million mobile devices worldwide are infected at any time, and mobile malware infections increased by 20% in 2013.
The insider threat
It is clear that insiders – often unwittingly – expose their employers to threats by working on electronic gadgets. Indeed, employees are constantly being targeted as an entry point into organisations’ systems and networks. One of the most frequent approaches is malware.
The only real way to avoid staff-related breaches is through thorough staff education, awareness, and the effective enforcement of policies and procedures. Robotic compliance with standards should not drive your information security efforts, as a minimal effort to meet standards will inevitably leave critical gaps in your defences.
Research has proven that organisations compliant with the international information security standard ISO/IEC 27001 can better identify threats to their information security and reduce their risk exposure significantly.
ISO 27001 meets the requirements of the majority of global privacy regulations by providing a comprehensive framework for developing and implementing an auditable information security management system (ISMS).
An ISMS is based on a business risk approach to establishing, implementing, monitoring, reviewing, maintaining and improving information security.
The Standard requires the continual improvement of the ISMS in order to ensure the business keeps up with evolving threats and vulnerabilities. The Standard also mandates the implementation of information security staff awareness training, and the regular review of policies and procedures.
To get started with ISO 27001, there are numerous cost-effective options to employ.
This starter package offers you the following essential ISO27001 products:
- Copies of the three most important ISO 27000 standards (ISO 27001:2013, ISO 27002:2013 and ISO 27000:2014) to explain the requirements of the Standard and the associated best-practice guidance.
- Two bestselling publications, enabling you to learn from leaders in the field how to tackle an ISMS implementation:
This offering includes all the products mentioned in the Basics package, as well as:
- The ISO 27001 Documentation Toolkit, which provides you with a set of policies, processes and reports that you can customise and implement quickly and effectively.
- The definitive ISO 27001 risk assessment software tool, vsRisk™.
The above are just two out of our range of five ISO 27001 solutions. To view our other solutions, click the below banner.
Alternatively, if you’re looking to learn more about ISO 27001, you can download our free green paper: Information Security & ISO 27001: An introduction