QMS International Archives - Cyber Secure Forum | Forum Events Ltd
Posts Tagged :

QMS International

IT security in 2022 – what you need to know

 960 640 Guest Post
By:
0
0

By Jack Rosier of QMS International, one of the UK’s leading ISO certification bodies

We’re living in the age of computers, with technology playing a more important role in our lives with each passing year. With the pandemic acting as a catalyst for increasing digitalisation, 2022 is likely to see more technology usage than ever before – so businesses need to make sure they’re prepared.

Embracing technology has been great for us as a global community in many ways. For example, it has enabled people and businesses to almost seamlessly shift to remote or hybrid working models, with a plethora of collaborative software to utilise.

However, this can be a double-edged sword. The more technology organisations interact with, the more opportunities for cyber criminals to launch cyber-attacks.

At the beginning of 2021, QMS International carried out a cyber security survey among businesses and 75.7% of the respondents reported that they now felt more open to attack. Another 10% reported that they had no confidence in fending one off.

This stresses the importance of understanding what good IT security looks like and how you can protect your business, employees, clients and stakeholders from dangerous and costly cyber-attacks. If organisations and individuals are aware of best practises and show due diligence in cyber security protocol, there is minimal reason to worry.

In this article, the experts at QMS International take you through potential risks to IT security in 2022, upcoming changes that might affect businesses, and best practises to implement to ensure cyber operations are completely secure.

Ransomware

The Chief Executive of the UK’s National Cyber Security Centre, Lindy Cameron, has warned that ransomware is “the most immediate danger to UK businesses” and all organisations could be at risk of cyber-attacks through the use of ransomware.

According to an analysis of reports made to the UK’s Information Commissioner’s Office (ICO) by CybSafe, the number of ransomware incidents in the first half of 2021 doubled compared to the number reported in the first half of 2020.

Ransomware is a type of malicious software which cyber criminals deploy on an unsuspecting person’s computer network in order to encrypt their files.

​​If a cyber-criminal is successful in doing this, it enables them to extort the victim into paying large fees to decrypt their files and make them accessible again.

Nowadays, most people tend to have their data backed up somewhere, whether it be on an external hard drive or on the Cloud. Most cyber criminals have clocked onto this and now threaten to release stolen files online. This same threat has also been used on those who have refused to pay the criminal.

Often, cyber criminals will target customer service and HR teams as they are easily reachable employees who hold information valuable to the cyber-criminal.

It’s absolutely crucial that organisations ensure they’re well equipped to prevent ransomware attacks in the coming year, and make sure all employees have a fundamental understanding of how to spot and avoid potential ransomware attacks.

Spear phishing

With the pandemic forcing people to adopt new technologies, cyber criminals have been using different methods to carry out their attacks. One method that seems to have gained popularity has been spear phishing.

Spear phishing is a type of digital communication scam that targets a specific individual or organisation. It’s designed to trick unsuspecting victims into clicking a link and willingly giving away their credentials. Unlike conventional phishing, which is a broader approach to the same goal, spear phishing is a lot more personal, and can be a lot more deceiving.

In order to prevent spear phishing attacks, organisations should create filters which flag incoming emails as either internal or external, which allows the recipient to see if somebody is trying to trick them.

Additionally, organisations should ensure employees are educated to understand what spear phishing is and how it can be prevented. This information can be simply delivered through eLearning on cyber security.

Remote or hybrid working

Over the past two years, the various lockdowns and a shift in attitudes has led to businesses adopting mass remote working or moving into hybrid working models. Now, in 2022, it’s clear to see that the movement towards remote and hybrid working is here to stay, with 85% of managers believing that having teams with remote workers will become the new norm.

However, remote working presents a number of challenges to an organisation’s cyber security. Data supplied by Darktrace to The Guardian revealed that the proportion of attacks targeting home workers rose from 12% of malicious email traffic in March 2020 to more than 60% six weeks later when the nation was in lockdown.

Risks like unsafe networks, digital file sharing, and outdated software make up part of a long list of risks that should be addressed by all organisations with remote workers.

These risks should not put off organisations from allowing employees to work remotely, but instead should encourage all businesses to ensure their cyber security policies are up to date and cover remote working responsibilities.

Training employees, carrying out risk assessments, making sure workers are using secure connections, and introducing robust information management frameworks will all help protect your business during hybrid or remote working.

Create a culture of IT security in 2022

From larger businesses to SMEs and start-ups, creating a culture of security is one of the most effective ways to protect your business against all types of cyber-attack in 2022 – and you can do this through ISO 27001 and ISO 27002.

ISO 27001 is the internationally recognised Standard which provides the framework for a comprehensive Information Security Management System (ISMS). It implements 114 legal, physical and technical risk controls that allow an organisation to carry out robust information management.

It’s set to be updated in the coming months to reflect the current challenges to an organisation’s IT security – making 2022 a great time to put in place a futureproof framework to protect your business.

Another Standard receiving an update in 2022 is ISO 27002 – the code of practice for an ISMS, which provides details on the requirements and controls in ISO 27001. Again, this update will make sure ISO 27002 reflects and addresses the current challenges businesses face in relation to IT security.

Adopting the latest versions of these Standards is a great way to give your business all-round protection in 2022 and beyond – so you can reassure your stakeholders and clients, fulfil your legal obligations, and keep your information secure at all times.

How can businesses maintain IT security in a hybrid working model?

 960 640 Guest Post
By:
0
0

By Claire Price of QMS International, one of the UK’s leading ISO certification bodies

Businesses now have the green light to go back to work, but your organisation may not be returning to its old working practices. So, if a hybrid model is being adopted, what can you do to ensure that information stays secure?

The introduction of more widespread homeworking has certainly piled on the pressure for businesses’ IT security.

At the beginning of 2021, QMS International carried out a survey of businesses about their cyber security and 75.7% of the respondents reported that they now felt more open to attack. Another 10% reported that they had no confidence in fending one off.

And businesses have a right to be worried. According to analysis of reports made to the UK’s Information Commissioners Office (ICO) by CybSafe, the number of ransomware incidents in the first half of 2021 doubled compared to the number reported in the first half of 2020.

Malicious emails have also been redirected to attack those working from home. Data supplied by Darktrace to The Guardian revealed that the proportion of attacks targeting home workers rose from 12% of malicious email traffic before the first lockdown in March 2020 to more than 60% six weeks later. With homeworking becoming more of a permanent fixture in business models, this trend is likely to continue.

While hybrid working offers your team the best of both worlds when it comes to office and home working, it also leaves your business open to the unique risks associated with both, with the added bonus of those linked to transport and travel.

But this doesn’t mean you have to abandon this new way of working. With the right processes in place, you can ensure your information stays secure, no matter where your staff are based.

Carry out a risk assessment

First things first – you must carry out a risk assessment.

Knowing the precise risks your business faces is key to developing methods of removing or mitigating them, but assessments like this are often overlooked. In fact, QMS’ cyber report found that 30% of respondents admitted that no new information security risk assessments had been carried out, despite changes to working practices.

Discover the risks, analyse their likelihood, and then decide if and how they can be controlled. This will give you the grounding you need to build your wider hybrid IT strategy.

Train and test your team

With cyber-attacks on the rise and remote workers being more vulnerable, it’s crucial that your hybrid team know what to look for and, just as crucially, how to report anything suspicious. The best way to do this is through training, which can now be carried out very effectively via e-learning.

This training should cover common cyber-attacks – such as phishing emails – how to spot them, the fundamentals of social engineering, and how to report suspicious activity. Ideally, this training should be refreshed regularly as new cyber threats emerge. You may also like to include training on the safe use of video calls and how to ensure video cameras are switched off when not in use.

To ensure your team have absorbed what they’ve learnt, carry out penetration testing. This involves crafting fake phishing emails and sending them out to your employees. What they do will give you an idea of whether your training has been effective.

Address access

When your hybrid team aren’t in the workplace, they will need to access servers and files remotely. This will often be via a VPN (Virtual Private Network), so you need to ensure that this is as secure as possible.

Remote workers will also be relying on their home Wi-Fi, but this may not be as secure as the Wi-Fi in your office. Your team should therefore be encouraged to create strong passwords – not the default ones on the base of the router.

Workers need to be cautioned against the use of free Wi-Fi hotspots too. It’s possible that your workers may want to use it to work on the train, for example, or in a coffee shop. However, public Wi-Fi is notoriously unsecure, and your workers should be cautioned against using it.

Think about physical protection

If your workers are going to be travelling between locations, then they are going to have to carry equipment such as laptops, phones and removable media with them. If something is lost or stolen, your business information could be compromised. Indeed, IBM’s Cost of a Data Breach report revealed that around 10% of malicious breaches are due to a physical security compromise.

A solid back-up protocol is key to ensuring that any lost information can be recovered. A robust password and access process are also musts – you may want to think about two-factor authentication to make logging in more secure. Make sure you also have a protocol in place so that if your team do report something as lost or stolen, you can act quickly.

When working remotely, you need to ensure that your staff keep their physical devices safe too. Equipment should be kept out of sight when not in use and papers stored away. If your workers are printing content, you may also need a safe disposal or destruction policy in place.

To prevent prying eyes seeing something they shouldn’t, workers should lock their screens when away from their workspace, whether they’re in the office or at home. And if any of your team do want to work while in public, they should be cautioned about the kind of work they perform – who knows who’s sitting next to you?

Create a culture of security

If you really want to take information security to the next level, you may want to consider a more wide-reaching measure such as ISO 27001.

ISO 27001 is the international Standard for information security management, and it is designed to help organisations integrate information security into every aspect of business.

Its 114 controls tackle every angle of security, including physical, legal, digital and human, bringing them together to enable you to maintain compliance and showcase to employees, customers and stakeholders that you have the processes in place to protect information from theft and corruption.

Going forward, it could give you the framework you need to adapt your practices to suit your new hybrid working model and any changes in the future.