David Mudd, Global Head of Digital Trust Assurance, BSI, shares three tips to help organizations like yours manage and secure your data, whether it comes from its operations, employees and partners, customers or users.
The emerging data and privacy landscape
Organizations in the digital age rely on data as a vital resource. While data availability enhances productivity and communication, it also brings challenges related to governance, cybersecurity, and digital trust.
Maintaining command over data storage, access security, and management processes is imperative. This extends beyond operational efficiency, as breaches can yield severe financial and reputational consequences, particularly due to privacy regulations like GDPR.
Multiple trends impact data security, encompassing cybercrime costs, supply chain attacks, rising vulnerabilities, ransomware risks, and internal personnel factors.
Financial implications
According to data from Cybersecurity Ventures, the cost of cybercrime is predicted to hit $8 trillion in 2023. UK Government statistics from 2021 showed that 39% of UK businesses reported cybersecurity breaches over a year, and of those, 27% suggested that breaches were a weekly occurrence. The financial impact of such a frequent occurrence of breaches could soon add up when the average cost of each breach was estimated at approximately £8,500.
Also, with only 21% describing their cybersecurity planning as 'mature', according to IBM, organizations may be ill-prepared, contributing to the rising costs predicted.
So, what can be done to close this gap and protect data?
Best practice for data management and security
While no one-size-fits-all solution exists, there are exemplary instances of best practices available to benefit organizations of all sizes, from small enterprises to global giants.
Here are three pointers to set you on the path of instilling trust in your organization's ability to manage and safeguard data:
1. Initiate with the end goal in mind
Organizations can thrive in the dynamic digital world by harnessing its benefits while minimizing cybersecurity risks. An effective information security management system is essential for this, providing a centralized solution that brings together people, processes, and technologies.
From day one, this system should:
- Assess risks and opportunities at a business level
- Focus on data management and protection objectives
- Implement best practice controls to mitigate risks
- Define responsibilities and timelines for action
- Continuously monitor and improve, considering evolving risks and business practices
By understanding the requirements for designing, implementing, and maintaining an effective system, organizations can start on the right path to build trust, maximize benefits, and ensure effective data management and protection.
2. Think beyond protection
Safeguarding your organization from cybersecurity risks is crucial. However, defenses can be breached by skilled individuals with the right intent and time.
Alongside shielding the organization and protecting personal data, emphasizing threat detection, suspect activity identification, and efficient response and recovery from cybersecurity incidents can be key to building resilience.
The NIST CyberSecurity Framework focuses on these key themes and guides organizations towards implementing a cybersecurity posture that aligns with their business risk.
While the NIST CSF is not designed to be a certifiable scheme, it can be adopted within certifiable frameworks such as ISO/IEC 27001, allowing a combination of best practice approaches to protect data and build trust.
3. Take a risk-based approach
For those new to cybersecurity, understanding the issues and implications of cyber risk, alongside effective risk management, may seem daunting. How do you prioritize what actions to take? To help with the risk assessment process there are best practice guides and standards which focus specifically on cybersecurity risk:
Guidance on Managing Information Security Risks (ISO/IEC 27005) uses global risk management concepts and best practice, helping organizations perform risk assessment and treatment.
The US National Institute of Standards and Technology (NIST) has created a Cybersecurity Framework (CSF), which also gives guidance on cyber risk management.
ISO/IEC 27001, the international standard for Information Security Management, is designed to address cybersecurity and privacy protection. It aligns global consensus best practices with ISO's management system approach, offering a foundation for building trust.
The flexibility of ISO/IEC 27001 allows integration with other relevant security controls and frameworks.
The accompanying ISO/IEC 27002 provides reference controls and detailed guidance for practical implementation, which can be prioritized by risk. You can seek accredited certification based on this requirements-based global standard, further enhancing trust in their data management and protection capabilities.
Building cyber resilience
The risks of cyberattacks and breaches cannot be ignored, with the potential for substantial financial losses and reputational damage. However, by adopting a proactive stance, you can fortify your defenses and establish robust strategies.