While every other week the media is reporting a new data breach, many organisations are asking ‘what can be done to stop both the hack and the fines?’ A five minute coffee chat with Ilia Kolochenko, CEO of ImmuniWeb and Johanna Hamilton AMBCS reveals the answer is as simple as ISO 27001.

‘It’s about strategy,’ begins Kolochenko, ‘because in my opinion the vast majority of data breaches and incidents, external or internal, stem from inconsistent, outdated or otherwise flawed information security management. Major hacks are not about technology or mysteriously sophisticated cybercriminals from Russia or China, it's frequently about a poor cybersecurity organisation and internal negligence.

We have great cybersecurity companies in Europe and in the UK particularly, in the United States, offering technically excellent solutions that can provide almost a 99% protection against widespread attack vectors exploited by sophisticated gangs. When technology is addressing wrong risks, or when some risks are unknown or underestimated, spending millions on the state-of-the art security solutions is a pointless.

A backdoor to stealing the crown jewels

‘Today, many large-scale security incidents do not rely on the so-called zero-day vulnerabilities, neither involve advanced persistent threats (APT). Frequently, organisations have a considerable number of externally exposed systems that are forgotten or abandoned that contain easily exploitable and publicly known vulnerabilities or simply provide an unrestricted access to business-critical data.

‘You don’t even need to be a technically savvy cybercriminal to steal crown jewels from many companies. Today, you can effortlessly compromise the very same data via comparatively simple supply chain attacks against their trusted third parties, such as lawyers or IT support vendors - where you can exfiltrate the same data entrusted to the under-protected suppliers and consultants.’

While we often hear about maintaining legacy systems and the creation of hybrid systems, the fact is, moving onto the next big thing can mean that something integral to the smooth running and security of a system can be left behind. Aside from obsoletion, in larger organisations, especially in the age of working from home, it’s difficult to know if everyone who logs on to the system, is authorised to do so.

The weakest link isn’t technical, it’s human

‘Not infrequently, security breaches are about the human factor.’ Continues Kolochenko, ‘I know several great companies where business and security leaders collaborate on a daily basis and truly care about the cybersecurity, privacy and compliance on all layers of the enterprise.

'They carefully plan both on the operational and strategic layers, and they know where they want to be three years from now. Their “secret sauce” is fairly simple: open inter-team collaboration, multistakeholder cost / benefit analysis, ongoing risk management and timely implementation of adequate security controls proportional to the corporate risk appetite and foreseeable security threats.

‘When I just started my penetration testing career in 2006, we'd been dealing with the first versions of the PCI DSS (Payment Card Industry Data Security Standard). And it was like a big deal because it was de facto the first security standard that could bring real monetary penalties for non-compliance. So virtually everyone in the infosec industry was talking about the PCI DSS hype. What I witnessed then is comparable to the modern hype and misunderstanding around GDPR: countless organisations just want a “paper” certifying their compliance.

'Luckily for both society and consumers, GDPR is far more complex than this and requires a comprehensive, continuous and multi-dimensional efforts to maintain compliance. We still witness a lot of confusion and misconception around GDPR, notably about penalties.

'For example, Article 83 is crystal-clear that the notorious 4% fines are not applicable for data security or data breaches violations that are punishable with a 2% fine. On the other side, few people know that many EU countries enacted criminal penalties in addition to GDPR, for the most serious violations of PII mishandling or for ignorance of a national DPA order.'

A real security choice, not just a “paper”

‘That said, many companies are still primarily concerned to have “the paper”, I observed some “creative” approaches like hiring external auditors to write a report stating that “as per our observations, the company XYZ follows the principles of GDPR” to proudly put this “certificate” on the wall and claim to be “GDPR-compliant”.

‘Commonly people still care about more formal or nominal requirements rather than implementing a comprehensive, multi-layered and holistic approach to cybersecurity that is deeply intertwined with privacy and data protection (as imposed by the regulatory requirements).

'Turnover and lack of standardised cybersecurity education aggravates the problem: when a new CISO or a deputy starts a job in a company, he or she may have their own vision and particular strategy, based on their previous experience - which is not necessarily compatible with the values and objectives of their new employer. Eventually, the corporate cybersecurity strategy is continuously amended and adjusted, creating an unmanageable and fragile Frankenstein’s monster.'

No company is invulnerable to cyber-threat

‘The challenge that we face in 2021 - and my guess is unfortunately the situation will likely exacerbate - is of inconsistent or otherwise improper cybersecurity management. Lack of a coherent and long-term oriented strategy will inevitably undermine the value of any technical security controls, even from the best cybersecurity vendors. Just because companies have the cutting-edge solutions that cost millions, it does not make them invulnerable.

‘Conversely, few experts know how to properly configure and maintain an advanced or novel defensive solution, that is consequently left in a default or “allow-all” mode. On the other side, cybercriminals are impeccably well organised, pragmatic and know how to carefully select their targets. The bad guys plan their raids and coordinate their nefarious efforts from A to Z, getting much better efficiency and effectiveness than an average cybersecurity start-up.

'Their meticulously planned management and well-thought strategy is what really makes them successful in the battle against careless companies with “not my job” or “who cares” attitude. The bad guys are not smarter, nor more intelligent than we are, they just have a much better organisation and a more consistent approach.’

What can be done?

Kolochenko advocates that building your cybersecurity strategy on such standards as the globally renowned ISO 27001 ISMS (Information Security Management Standards) is a powerful starting step. The standard, which was introduced in 2005 with further updates in 2013, provides a multifaceted guidance on establishing, implementing, maintaining and continually improving an information security management system (ISMS).

Differing from the technology-orientated PCI DSS, the ISO 27001 standard dedicates a lot of attention to the incremental management’s and board’s commitment to information and data protection governance, ongoing risk assessment, strong collaboration between all corporate units (aka enlarged DevSecOps) and also gives special attention to human risk mitigation. The standard artfully fuses technology and business processes to attain the highest efficiency and effectiveness in a corporate information security management programme with a synergised effect.

The standard has its roots in a 1995 standard, BS7799 created by the BSI and written by the Department of Trade and Industry (UK). The standard that would become ISO 27001 was created jointly by the International Organisation for Standardisation and the International Electrotechnical Commission to help organisations examine their information security risks, threats, vulnerabilities and impacts while also designing and implementing an all-encompassing risk strategy that is constantly revisited.

The United States favours SOC 2

Kolochenko continues: ‘In the United States, companies usually prefer SOC 2 but, in my opinion, SOC 2 is less comprehensive and more technology-orientated. Practically speaking, SOC 2 is a set of reports, while ISO is a standard underpinned by regular internal and external auditing, based on clear guidelines.

‘ISO 27001, is one of the smartest standards in terms of approach to information security management. On one side it's very flexible - you can design your own risk assessment plan and decide on your own security controls (of course, within reason and following common sense). But on the other side, it's something that ensures that the certified organisation, of any size and from any industry, can build a flexible but comprehensive data protection programme and demonstrate this to concerned third parties.

‘As part of the requirements, the standard also includes security training and awareness, it directly mandates individual responsibility and accountability. It provisions the necessary authority to employees to properly implement their duties, so it's really about information security management not a check-box list of isolated security controls.’

‘With ISO 27001, you need to implement a risk-based and threat-aware cybersecurity strategy that is continuously evolving taking into consideration the changing legislation and interests of stakeholders like your customers, partners and suppliers.’

With Brexit comes yet another standard

As Britain leaves the UK, so it needs to implement new versions of upcoming EU laws, for instance there is now a GDPR for the UK and another for the EU, but both are pretty much one and the same.

Kolochenko continues, ‘we have so many upcoming and recently enacted data protection laws and privacy regulations, that it would be difficult to count them. But I would say that if you have a properly implemented and maintained ISO 27001 ISMS in your company, you will likely comply with most of them in a much shorter and considerably less expensive manner.

‘ISO 27001 is one of the most sustainable data protection standards because it focuses on all aspects of ISMS, not only about your technical security controls or isolated systems that process specific information like credit card or healthcare data. ISO 27001 effectively stands out being a comprehensive, inclusive and long-term orientated standard. I think, ISO 27001 is a great way to review your information security management, its efficiency and effectiveness from technical, managerial, financial and human viewpoints.’