Governance, Risk and Compliance Blog

ISO 27001:2013 – Why is information security important?

Posted by Marc Gardner on Mon, Jul 31, 2017

Information in this day and age has become currency, driving business and commerce across the world. It could be your organisation's most important and valuable asset, and so it demands to be properly protected.

Protecting information means managing risk, just as you'd manage the risk of any other type of hazard occurring. Yet the risks around information security are all too often overlooked or brushed off  the mindset being that only the huge multinational corporations suffer data breaches and "it'll never happen to us".

But it can happen to any business – and does.

More than 1,500 UK businesses took part in the UK Government's Cyber Security Breaches Survey 2017 and virtually all were found to have been exposed to cyber security risks in some way. Once you have a website and social media, use cloud services, or hold electronic data on your customers, you become a potential target, regardless of size, wealth or reputation.

Yes, larger organisations are routinely hit, for various reasons. It might be that their security measures aren't integrated but operating in isolation, creating vulnerabilities for calculating hackers to exploit. Or perhaps their systems are outdated, unfit for purpose in staving off sophisticated cyber threats.

Nearly 70% of all medium (50 to 249 staff) to large (250+) businesses surveyed by the UK Government said they'd suffered some kind of cyber breach or attack in the previous year. For micro (2 to 9 staff) and small (10 to 49) businesses, it was a not-insignificant 45%.

Click the image to read findings from the Government's surveyClick the image to read findings from the Government's survey

Click the images to read findings from the UK Government survey


With technology only becoming more commonplace in business and industry, information security simply can't be ignored. Still, m
icro/small businesses are less likely than medium and large firms to have implemented cyber security measures (formal policies or staff training, for example) or sought advice on how to do it. 35% of micro/small businesses that had identified a breach still considered security a low priority. Some businesses thought themselves too small or insignificant to consider security measures at all.

While the big firms are hit with the highest costs in monetary terms, the financial impact of cyber attacks is disproportionately high for firms with fewer than 100 employees, as a report commissioned by insurance provider Hiscox found.

Click to read the Hiscox Cyber Readiness Report 2017

However, not all data breaches are hacks, and information security involves more than your company's website and IT network. The physical security of your buildings; your employees' use of electronic devices like laptops, smartphones and tablets; your handling of confidential documents – these are considerations that affect all businesses, regardless of size.

So organisations need to be heeding the warnings about data security, and recognising that it's vital to their reputation, brand and the continuity of their business. An increasing number of companies are adopting international standards like ISO 27001 and 27002 to demonstrate their commitment in this area. And many firms are devoting more budget and manpower to keeping their information secure.

Consider your own organisation. How committed to information security are you? Is there more you can be doing to protect yourself? 

If you're doing it right, you'll have built information security into everything you do – it'll be reflected in your corporate strategy and objectives, your company culture. You'll have planned and implemented an information security management system (ISMS). And every employee, from top-level management down, will know what's required and what they need to do to achieve it.

 

What you should do now

For more information about ISO 27001, download our toolkit.

ISO 27001 Toolkit - Updating ISMS

Tags: ISO 27001