6 tips for increasing digital trust through infosec and cloud continuity
Two of the most important standards available to businesses today are, arguably, Information Security Management (ISO/IEC 27001) and Business Continuity Management (ISO 22301) — the international gold standards for infosec and risk management.
Information Security Management provides a framework for managing risks and keeping information assets secure, especially in relation to cyber security and data privacy. Business Continuity Management (BCM) is focused on improving organizations’ resilience, ensuring critical functions (like those underpinned by cloud services) remain operational during times of crisis and major disruptions.
In the digital age, these two standards combine to form the foundation of ‘digital trust’, a term describing the confidence customers and stakeholders have in the security of your digital ecosystem, your supply chain and your operations.
For the thousands of our clients who have achieved these certifications, it is a way for them to immediately demonstrate to their customers that they take data privacy, security and operational resiliency seriously. These standards give stakeholders confidence that business can and will carry on as usual in the event that their network or those of their cloud partners suffers an outage, a major weather event, a cyber attack or anything in between.
Here, we share our six top tips for building digital trust through strong infosec processes and robust business and cloud continuity planning, inspired by the approaches found in ISO/IEC 27001 and ISO 22301.
- Undertake a cybersecurity risk assessment
It’s essential to define all the possible threats your business might face. This includes exploring the potential impact of multiple scenarios, and considering whether any would expose you to severe regulatory trouble. Your assessment must also include suppliers, given the degree of risk in distributed, globalized supply chains, and cloud partners given that these services are core to many critical business applications and home to plenty of sensitive data.
- Make a plan
In the event of a major cyber security incident or disruption to operations, your organization must consider the seven “Ps” required to stay in business and preserve information security: providers (internal and suppliers), performance (service level agreements you need to meet), processes, people, premises, profile (your brand) and preparation.
Following your risk assessment, make a plan that outlines the minimum security, continuity and privacy requirements of the business, customers and suppliers under each “P”, and how you will meet them during a cyber security incident or attack. You must also assign responsibility for ensuring these are delivered. Remember: the plan might look slightly different depending on the circumstances, so brainstorm different scenarios you might reasonably expect to see in your industry or market to prepare for any eventuality.
- Test your plan
Mock exercises allow you to catch gaps in your information security and cloud continuity so you can have confidence in your defence in the event of an attack. You might also consider including external stakeholders, especially customers, suppliers and cloud vendors.
For your testing, think about how to respond to the impacts of an information security emergency or risk to continuity beyond the loss or disruption to data, such as material financial losses, supply chain disruptions and even physical destruction of property.
- Building confidence in your most critical asset: people
Most information security lapses are the result of human error. A solid training and certification programme is a vital part of any information management policy — many breaches are simply prompted by unwitting employees clicking links in malicious emails. By ensuring staff know enough to be able to spot risks to digital trust, and respond quickly to any issues affecting information security, is critical to your overall resilience.
- Adopt a zero-trust approach to network security
Gartner believes that zero-trust network access (ZTNA), the fastest-growing form of network security, will grow by 31% in 2023 and will replace VPNs entirely by 2025[1]. A zero-trust approach to network security assumes there is no network edge and focuses instead on continuously validating, authenticating and authorizing user access to data and applications. In the world of hybrid work, every business serious about increasing their resilience to cyber attacks should be exploring how ZTNA can work for them.
- Work with your supply chain to understand and strengthen their information security management processes
By 2025, 45% of organizations will experience attacks on their software supply chains, — three times as many as in 2021[2]. This illustrates that risks to information security span the entire digital ecosystem, inside and outside of an organization. Strengthen digital trust by working with suppliers whose approach to information security aligns with your own and inserting defined policies in your contracts.
Our vision is to support clients to build trust in the digital era, by ensuring interactions between businesses and people are engaging and secure. Contact us to learn more about how we can help you on your journey to increased digital trust.
[1] https://www.datacenterknowledge.com/security/gartner-zero-trust-will-replace-your-vpn-2025
[2] https://www.gartner.com/en/newsroom/press-releases/2022-03-07-gartner-identifies-top-security-and-risk-management-trends-for-2022