5 Cyber Security and ISO 27001 Myths – IT Governance UK Blog


Common misconceptions and what you can do about them

Contrary to common belief, the external threat – a threat actor hacking their way into your systems through technical skill alone – isn’t your biggest problem.

In our previous interview with Damian Garcia, our head of GRC (governance, risk and compliance) consultancy, we learned about the internal, or insider, threat and its significance.

If you don’t invest in cyber security or staff training, accidental breaches pose a far bigger threat than technically skilled hackers. Think about it from the attacker’s point of view: why bother taking the time and effort to break into a system if someone can just let you in? You only need one person to click a phishing link.

What are some other common cyber security myths or misconceptions? And what about misconceptions around ISO 27001, the international standard for information security management?

We put these questions to Damian.


Myths covered

  1. It’ll never happen to me
  2. My data isn’t worth anything
  3. Cyber security is an IT problem
  4. Security is just about preventing data from falling into the wrong hands
  5. Once the ISMS is in place, that’s job done


Myth #1: It’ll never happen to me

What are some common cyber security misconceptions?

A huge misconception is that ‘it [a cyber attack/data breach] will never happen to me’. Especially with small organisations. They say things like: ‘Why would anyone ever attack me? I have nothing worth stealing – why would I worry about an attack?’

This was especially true before the GDPR [General Data Protection Regulation] came into force. If you look back at the UK government’s 2016 and 2017 Cyber Security Breaches Surveys, you’ll see that small businesses were spending very little money on security.


Interviewer note

Damian’s response gave me a sense of déjà vu. When I asked our cyber incident responder Vanessa Horton about common misconceptions in cyber incident response in an interview earlier this year, without hesitating, she replied: “the [misplaced] belief that ‘it’s not going to happen to us’.”

For evidence that anyone can be successfully attacked, just look at big ransomware gangs: among others, LockBit, Ragnar Locker and Black Basta have all been taken down by law enforcement.

As Vanessa pointed out, the mindset that you won’t be targeted isn’t just wrong, but harmful. It leaves you unprepared for when you do suffer a cyber attack or data breach, worsening the damage.


Myth #2: My data isn’t worth anything

Didn’t organisations think their data – their business’s lifeblood – was worth stealing?

Unfortunately, the common perception was that ‘my data isn’t worth anything’. Which adds to this belief that ‘I’m not going to be targeted’.

Fortunately, as awareness of the GDPR grew, the value of data became clearer – just look at the GDPR fines! A cap of 4% of global annual turnover or €20 million [whichever is greater] helped organisations put a price on their data.

By extension, organisations better understood the need to invest in security. They didn’t want to be found negligent, so they started to take more steps to protect personal data. Not always enough steps, but they were making more of an effort than before.

Nonetheless, organisations still tend to underestimate the value of their data. And only realise their mistake when it’s too late – when they lose access to it.


Myth #3: Cyber security is an IT problem

You’ve brought up two misconceptions so far: 1) ‘it’s not going to happen to me’, and 2) ‘my data isn’t worth all that much’. What are some other common security misconceptions?

Those are the two big ones. Many other misconceptions are extensions of them. For instance, one common information security risk stems from senior management.

I remember doing some work for a finance company. The board of directors was made up of quite wealthy individuals. Self-made wealth, which tends to go hand in hand with a certain arrogance, which only adds to that feeling of ‘it won’t happen to me’.

Anyway, I was introduced to the managing director, who said: “We need your help to sort out our cyber security. You’ll have a great time working with our IT team.” To which I responded: “No, I’m going to be working with you, too.”

Is that because ‘cyber security’ sounds technical, supposedly making it an IT problem?

Yes. People constantly interchange the words ‘cyber security’ and ‘information security’. In fact, I’m not keen on the term ‘cyber security’ – I much prefer ‘information security’.

Because if you say ‘cyber security’, most people – and organisations – will default to: “Oh, it’s IT. It’s technical. I don’t need to worry about it – someone else is dealing with it on my behalf.”

By extension, studies show that unless you make IT security explicit, people will assume that the security is happening in the background, and they’re still protected – even if the antivirus or padlock symbol isn’t showing.

Again, unless you explicitly teach them otherwise, people will assume that security isn’t their responsibility. Especially cyber security.

But simply changing the terminology to information security or data security already makes it seem like something non-technical employees – especially in senior management – might be responsible for.


Finding this blog useful? To stay in the loop on future
interviews like this – and other free resources – subscribe
to our free weekly newsletter: the Security Spotlight.


ISO 27001 explicitly requires the ISMS [information security management system] to have senior management support. Are organisations implementing the Standard less prone to making this mistake – to assume that information security is an IT problem?

When they start implementing ISO 27001, organisations often assume it’s just something for IT to deal with.

However, as we [our consultants] begin to work with them, they start to understand that everyone is responsible for information security.

Again, specifically referring to information security is a huge help. Because where is information stored?

In today’s world, computer systems are a big one, of course. But also:

  • What hard-copy information do you keep? How is that secured? How do you destroy it? Do you have wastepaper bins? Do you shred it? Etc.
  • What information is undocumented – i.e. only stored in someone’s head? How many people have that knowledge? If it’s just the one person, what will you do if that person is sick, for example, or hit by a bus? How will you address that ‘single point of failure’?

When you start asking questions like these, it very quickly becomes clear to the client that everyone has a part to play in information security.


Myth #4: Security is just about preventing data from falling into the wrong hands

That seems to come down to making sure you’re accounting for the confidentiality, integrity and availability of your information.

Absolutely. While you definitely want to stop sensitive data from falling into the wrong hands [confidentiality], you also want your data to be accessible when you need it [availability]. If you have a single point of failure – like vital information only stored in someone’s head – what will you do if that person isn’t around?

If the answer boils down to ‘trouble’, you’d better make sure you document that information – ASAP! Another person reading that document may not have the experience of your key person, but having the information in writing means you can figure out a solution if someone is unavailable.

Of course, the information also needs to be accurate for it to be useful [integrity]. So, once written down, you need to maintain your documents. Make sure they’re up to date – review them once in a while and revise them if needed.


Myth #5: Once the ISMS is in place, that’s job done

Speaking of reviews, that’s important for the overall ISMS, isn’t it? To quote Alan Calder: “ISO 27001 certification is an ongoing journey, not a destination.”

That’s correct. When we help a client implement an ISMS, two things will happen:

  1. Your organisation will obtain ISO 27001 certification.
  2. You’ll be managing your information security risks as well as you can.

I’m emphasising that last bit, as you’ve got to accept that a security breach can still happen despite your best efforts.

People can still make a mistake, and a determined attacker, given enough time and resources, can still circumvent your defences. There are things you can do to mitigate the risk – like taking a defence-in-depth approach – but your ISMS isn’t foolproof.

One reason it’s important to regularly review your measures is because the landscape is always changing. Threat actors find new exploits. New technology, such as AI, becomes available. That’s why a new version of the Standard is out [ISO 27001:2022] – to account for the changing landscape.


ISO 27001 FastTrack™: Get certification-ready in 3 months

Our turnkey ISO 27001 FastTrack™ consultancy package is designed to help organisations reach ISO 27001 certification readiness in just three months.

Get the resources and expertise your organisation needs to prepare for and achieve accredited certification to ISO 27001:2022 within an agreed timescale for a fixed fee.

Don’t take our word for it

Our customer, Claire Brown, said:

Our consultant was always on hand to answer queries and really cared about the end result. He put in an enormous amount of solid effort, so huge thanks to him and the rest of your support team.


About Damian Garcia

Damian has worked in the IT sector in the UK and internationally, including for IBM and Microsoft. In his more than 30 years in the industry, he’s helped both private- and public-sector organisations reduce the risks to their on-site and Cloud-based IT environments.

He also has an MSc in cyber security risk management and maintains various professional certifications.

As our head of GRC consultancy, Damian remains deeply committed to safeguarding organisations’ information and IT infrastructures, providing clients with pragmatic advice and support around information security and risk management.

We’ve previously interviewed Damian about the insider threat.


We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.

If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter.

Alternatively, explore our full index of interviews here.



Source link