In December 2016, we held an information session for clients and staff on the benefits of their ISO 27001:2013 training course, which teaches auditors the key processes and approaches a business needs to manage information security risks.
The information session was attended by a wide ranging audience including clients’ CEOs and COOs to individual management systems auditors, and while we had them all in the same room, we took the opportunity to conduct a short survey to find out how they approach the security of their organisation’s informations assets.
Some very surprising results came out of the survey, for example, when asked whether responders would know if their information or data was breached or hacked, 53 per cent said they wouldn’t be sure. Worryingly, more than half of all responders also said their business didn’t have an inventory of their information security assets or if they did, it was rarely updated.
In keeping with PwC’s purpose of building trust in society and solving important problems, we can help clients ‘reimagine the possible’ and align their information security framework to the international standard and train their workforce in information security controls and processes to address security risks.
Are your Information Assets Secure?
We quizzed organisations about their information security systems, and found that not everyone is as prepared as they perhaps should be.
7 key areas of ISO 27001:2013, the international standard for Information Security Management Systems, were identified.
1. Would you know if your information or data was breached or hacked?
82% of respondents wouldn’t know, or are unsure of whether they would know if their data was breached. Pending changes to the Privacy Act will mean that all organisations with an annual turnover of more than $3M will need to report to the Privacy Commissioner all breaches, whether actual or suspected, which result in a loss of personal information.
Full control of your security risks is not only a demand from your customers, but may end up being mandatory under the law.
2. Do you have different levels of classification for the information that you store?
42% of companies surveyed don’t classify the information that is generated and stored. This means that the email about your potential business strategy, or your staff’s personal information, is treated the same as that email to your partner to buy milk on the way home. Of the 58% that do classify their information, the question still stands as to whether or not their system is applied consistently across the board.
Information is required to be classified, then labeled and handled according to its level of classification. It’s obvious that things like credit card details and personal information need to be secured differently to information about the stationery order or the lunch menu, however many organisations seem to lack a formal process around this.
(ISO 27001:2013 Annex A, A.8.2.1 – Classification of information)
3. Do you allow your staff to work flexibly from home?
Flexible working environments are definitely here to stay – however this poses its own set of risks. Are your organisation’s top secrets safe in someone else’s home, or on a personal device?
56% of companies allow work from personal devices. Whilst companies can control the security and maintenance on devices that they own, it is much harder to control your employees’ own devices.
Are they the Achilles’ heel of your system?
(ISO 27001:2013 Annex A, A.11.2.6 – the security and protection of equipment and information off-site)
4. Do you have an inventory of all your information security assets?
Information is an asset, and like other business assets, it is essential to an organisation’s value. Nearly a quarter of respondents don’t have an inventory at all, and just over a quarter have one, but don’t keep it up to date.
Information assets, in comparison to other business assets, can change rapidly. Regular reviews and amendments of the information asset register are crucial to identify information and to set the appropriate level of classification and protection required.
How can you control something if you don’t know what you have?
(ISO 27001:2013 Annex A, A.8.1.1 – Inventory of assets)
5. Do your staff leave documents on desks or unlocked screens unattended?
ISO 27001 sets out controls for both unattended user equipment and clear desk and screen policies. Almost three quarters of respondents admitted that information is left unsecured either during the day or overnight.
Flexible, collaborative and open plan working means protection from wandering eyes is more crucial than it was in traditional offices; and with most of us how having a smartphone, one click and send can mean your information has gone viral.
(ISO 27001:2014 Annex A, A.11.2.8 – Unattended user equipment and A.11.2.9 – Clear desk and screen policy)
6. Are all your staff members aware of, and trained in your company’s information security processes?
One of the biggest risks to any organisation with regard to information security is its people, however over a fifth of employees are not trained in information security at all, and a further third are only trained at induction.
The success of keeping information secure is everyone’s responsibility, and we need to ensure that all staff know and are fulfilling their responsibilities.
(ISO 27001:2013, Annex A, A.7.2.2 – Information security awareness, education and training)
7. Who leads your information security system?
One third of companies defer the information security responsibility to the IT department. To ensure information security objectives are established, integrated, resourced and achieved, leadership and commitment by top management are essential.
Information security risks affect more than just the IT department. Leaders need to understand the financial and
reputational impact of information loss.
(ISO 27001, Refer 5.5 Leadership)
To learn more about how ISO 27001 can help you secure your data, click below: