No organization, however big or small, is immune from cyber risk. The social media giant, Twitter, is the latest household name to suffer a security breach, but a growing number of attacks against small and medium-sized businesses goes unreported.
The Twitter attack used ‘social engineering’ techniques to trick employees into giving them access to account support tools. The term social engineering describes the use of psychological manipulation to con individuals into performing actions that enable hackers to infect systems and networks with malicious code.
According to Verizon’s Data Breach Investigations Report nearly 90% of malware is delivered in emails, in what are known as phishing campaigns. It is believed that the Twitter employees were victim to a vishing attack, which substitutes e-mail for a direct phone call.
In the following video clip, which has been viewed more than three million times, a security consultant demonstrates just how easy it can be to gain access to an employee’s computer over the phone.
Although news coverage tends to focus on data breaches in major corporations, cyber attacks against organizations of all sizes have grown dramatically in recent years. The increasing numbers of people working from home as a result of the COVID-19 pandemic has further complicated the situation.
Employees are the common factor linking many of the security breaches, which sometimes are deliberately malicious, but more often are down to carelessness. “People going about their normal operational duties are the biggest threat,” says IEC cyber security expert Frances Cleveland.
That is why the information management security system (ISMS) requirements described in ISO/IEC 27001 defines a cyber risk management-based approach to managing people, processes, services and technology. Using ISO/IEC 27001, helps organizations to manage all their information security risks.
These include threats, vulnerabilities and impacts, as well as designing controls to protect the confidentiality, integrity and availability of data — the so-called “C-I-A triad” — and for regulating access to critical information systems and networks.
The IEC advocates a holistic approach to cyber security, combining best practices with testing and certification, is the best way to build cyber resilience. ISO/IEC 27001 is part of the approved process scheme that provides for the independent assessment and issuing of an international IECQ certificate of conformity for organizations that have demonstrated compliance with the relevant publications.
IECQ ISMS facility assessments under the IECQ AP scheme ensure a focus on the key technical and administrative elements that provide confidence that the requirements of ISO/IEC 27001 have been met.