The Covid-19 crisis boosted the development of telework. It was necessary to reorganise and allow employees to access their professional data from home. In this context, how to ensure the cybersecurity of your organisation? The ISO 27001 standard sheds light on the subject.
In the end of 2020, hacking attempts surged by 20% compared to 2019 in the UK as hackers took advantage of factors such as COVID-19 and remote working in the context of the health crisis. Infact, in an increasingly connected world, companies of all sizes are exposed to risks that can jeopardise many of their data, including that of their customers and/or service providers.
The aim of cybersecurity is to protect information and maintain the integrity of IT resources. Large companies are not the only ones targeted by cyber-attacks: SMEs can be prime targets, as they are sometimes less aware and/or prepared for this type of risk.
Even health care institutions are confronted with this. This was recently the case for two hospitals in France, which suffered a major cyber attack. Their computer system was paralysed for several hours, and hospital staff had to adapt accordingly to ensure continuity of activity.
A 1 billion euro plan was recently released by the government to fight cybercrime and to implement specific actions for hospitals.
Among the actions considered: raising awareness and supporting structures into the adoption of cyber-type solutions, training the various professions in the sector, developing the cybersecurity ecosystem, supporting research and innovation.
These risks of cyber-attacks can also be minimised through the adoption of standards such as ISO 27001 and the implementation of dedicated tools.
What is ISO 27001?
Part of the ISO 27000 family of standards, ISO 27001 is an international standard based on the implementation of an Information Security Management System (ISMS). It is aimed at all types of organisations that wish to protect their sensitive assets such as intellectual property, financial and employee data.
Like other ISO (International Organization for Standardization) standards, this certification is not mandatory.
How to avoid the risks of cyber attacks?
The spread of telecommuting has opened up new opportunities for hackers to get use of the vulnerability of certain video conferencing tools or other means of remote communication. Companies must therefore react accordingly, by adopting an effective strategy.
Develop a continuity plan
The IT Continuity Plan (ICP) is an integral part of the Business Continuity Plan (BCP) and ensures business continuity in case of an IT failure. In order to establish it, the company must first carry out a risk analysis and an impact analysis.
Risk analysis consists of identifying the main threats that may affect the IT system: these threats may be internal or external. It is then a matter of defining the various risks arising from the identified threats, as well as their potential impact. For risks with a relatively high impact after prioritisation, the goal is to implement mitigation measures.
The purpose of impact analysis is to assess the risk impact and to determine when it becomes intolerable. This analysis provides time data, more precisely the maximum permissible duration of a potential interruption for each process.
Once these analyses have been carried out, the institution can implement technical actions to ensure the IT system continuity and avoid data loss .
Raising awareness among employees
When employees are telecommuting, they are connected to the family network and the IT department has no longer visibility of network security. It is therefore important to make them aware of their responsibilities by indicating the best practices to adopt.
Infact, they may be affected by "psychological hacking" in a teleworking situation: this practice tends to use the psychological weaknesses of the victim in order to obtain access to certain confidential information. For instance, a hacker may use a spear-phishing system via a false e-mail from the tax authorities to get the victim to communicate his bank details.
Companies must therefore remain vigilant and support their employees in the actions to take when working remotely.
These actions mainly include:
- Avoid exchanging USB devices between your work computer and any other personal equipment;
- Being careful to not open unknown external links in your mailbox.
- Making sure to not use the work email box on a personal or third party computer.
- Using security systems such as firewalls or antivirus software.
- Installing a VPN, i.e. a virtual private network, to have secure access to your company’s data.
- Choosing an appropriate password (avoid the classic "12345"!);
- Ensuring that backups are made regularly and that cold data is encrypted on hard drives.
Thus, employees should be considered as an essential link in the security chain, especially in telework situations.
Implementing secure tools
The digital transformation of companies has grown in speed since the health crisis. Today, it is essential that each employee have remote access to documents that concern his occupations. Thus, all members must be able to connect to their platform via a dedicated access (with login/password), while guaranteeing the security of the data.
SaaS (Software-as-a-Service) solutions represent a bulwark against possible computer attacks: in fact, dedicated data hosting providers are there to ensure that you have control over your own system. Regardless of the size of the organisation, thanks to SaaS, the data is relocated and stored on secure servers: the level of security of the application is therefore the same regardless of the used workstation.
SaaS solutions guarantee optimal management of equipment and maintenance by teams of professionals specialised in the field. It is therefore important to choose reliable, secure and approved hosting providers (e.g. Microsoft Azure).
Managed services provide server maintenance and recovery in case of a system failure. SaaS systems use separate sites for production and backup, so that if an incident occurs at one site, data can be recovered from other sites.
With these digitised processes on SaaS tools, the company's structure and data will be kept outside the internal information system with protection provided by the hosting company. Everything is simply digitised and centralised on a single platform. This reduces the risk of losing information and ensures business continuity, even remotely.
As digital technology plays an increasingly important role in organisations, it is crucial to protect all data and to avoid any risk of cyberattack. Tools and standards exist to support companies and their employees in this process.