Watch out, cyber-attack! When a new virus infects computers throughout the world, organizations need to protect themselves. To minimize the risks, some opt for ISO/IEC 27001 certification. Lowdown with a specialist.
The virus has had a heavy and unprecedented toll. On Friday 12 May 2017, the WannaCrypt malware spread like wildfire in 150 countries in less than 24 hours. Administrations, hospitals, industries, transport… Nearly 200,000 victims were affected around the world. For organizations and companies of all sizes, concerns remain. And rightly so: just five days after the first attack, a new computer virus struck. How can we protect ourselves from cyber-attacks? How can we secure our processes?
To answer the questions from professionals, consumers and organizations, AFNOR Certification recently increased involvement in conferences and round tables on the subject. There it shared feedback from ISO/IEC 27001 certified organizations, and therefore recognized for the thoroughness of their management system for the security of information systems and information.
Lowdown with François Lorek, AFNOR auditor, coordinator of the “Security Control and Services” international task force within the ISO and director of TRAX, a company specializing in cyber-security compliance.
What do you take away from the cyber-attack of spring 2017?
Unlike ordinary attacks, the Windows flaw exploited led to an attack of unprecedented virulence. WannaCrypt contaminated many IT systems, in particular those of line production industries. Indeed, although organizations in the tertiary sector update their office system regularly, this is not always the case for industrial or hospital information systems. Appropriate action and good practice with regard to threats are currently still insufficiently deployed in organizations. The basic rules are not yet sufficiently respected. One way or another, this leads to vulnerability. After all, when you have the flu, you don’t go outside wearing just a tee-shirt! The same applies when it comes to cybersecurity: you need to protect yourself, otherwise you may fall ill.
How does ISO/IEC 27001 certification help to protect against a cyber-attack?
ISO/IEC 27001 certification is recognition of having put in place a management system dedicated to information security. It proves that the organization has been guided in this project and is heading in the right direction. ISO/IEC 27001 certification is based on the requirements of the voluntary standard of the same name. This globally recognized standard allows organizations to ask the right questions: what are the characteristics of my organization?, what are my activities?, for me, what are the major risks to be controlled? The organization will implement adapted actions based on the answers. In that way it will know how best to defend itself. Access management, physical security, management of security incidents… The standard reviews a series of key points. Its new version, published in 2013, places the emphasis on two of them: improving upstream security in the company’s projects and relations with its suppliers (to prevent loss of data in particular). This is all the more important at a time when the new European regulation on data protection demands greater strictness when it comes to data protection.
Are you seeing that certified organizations are better protected from cyber-attacks? How many have chosen to initiate a certification initiative?
Certification is not an impenetrable barrier against cyber-attacks. Affected? Not affected? There is always an element of luck or bad luck. But with ISO/IEC 27001 certification, organizations buy themselves some time. If the threats are detected in advance, the attack can be quickly isolated, the organization can react appropriately and immediately, making suitable decisions, and the “vital” activities of the organization will be less affected, if at all. In 2015, there were 226 ISO/IEC 27001 certified entities in France (figures from the ISO Survey 2015). This figure is low compared with other European countries. It has to be said that we have some ground to make up. A culture of anticipation needs to be developed. Certification is an important factor for trust, with major European invitations to tender making it a minimum requirement. It is therefore in the interests of French organizations to launch the initiative in order to win new contracts.