Essential organizational measures and the role of an ISMS

As the world becomes increasingly connected and reliant on technology, cybersecurity has become a critical concern for organizations of all sizes. Cyber threats come in many forms, from phishing scams and malware to ransomware attacks and data breaches, and they can have serious consequences for businesses, including financial losses, damaged reputations, and legal liabilities. According to a BITKOM study in 2022, cybercrimes accounted for annual losses of EUR 223 billion – only for German businesses alone. What is worrying here is that the losses have doubled since 2018-2019 and that any related numbers are likely massive underestimates, since many companies never know they have been a victim of an attack or, out of concern for negative reporting, make deliberate efforts to keep attacks out of the public eye.

For organizations the essential starting point to protect against these threats should be to have a comprehensive cybersecurity strategy in place. It is a plan that outlines how an organization will protect itself against cyber threats and respond to cyber incidents. A cybersecurity strategy includes both technical and non-technical measures to prevent, detect, and respond to cyber attacks, such as technical controls (e.g. firewalls, endpoint protection), employee education and awareness programs, and incident response plans.

A central pillar of a cybersecurity strategy is an information security management system (short ISMS). It is a framework of policies, processes, and procedures that an organization puts in place to manage and protect its sensitive information assets. The goal of an ISMS is to ensure that the confidentiality, integrity, and availability of the organization’s information are maintained.

Implementing an ISMS can help an organization to:

  • Define and manage controls against cyber threats and data breaches
  • Maintain the confidentiality, integrity and availability of its information assets due to standardized security processes
  • Meet regulatory and compliance requirements
  • Improve its risk management processes
  • Lay the foundation for certifications and with these enhance its reputation and customer trust
  • Reduce cybersecurity costs by establishing a set of standardized procedures and controls and thus avoiding duplicate efforts and wasted resources

Hereto, an ISMS usually includes the following elements:

  • Policies: These are high-level statements of the organization’s goals and objectives related to information security.
  • Processes: These are the specific steps that the organization takes to implement its information security policies. These may include procedures for handling sensitive information, access controls, incident response, and more.
  • Procedures: These are the detailed instructions for performing specific tasks related to the organization’s information security processes.

An ISMS is typically based on a standard or framework, such as ISO 27001. This standard provides a set of best practices and guidelines for implementing and maintaining an ISMS.

An information security management system (ISMS) can be beneficial for organizations of any size. However, the specific elements of the ISMS may vary depending on the size and complexity of the organization. For example, a small business may have a relatively simple ISMS with just a few policies and procedures, while a large enterprise may have a more extensive ISMS with many detailed processes and procedures.

Two organizational low-hanging fruits that can be tackled right away are employee awareness and a crisis plan:

From an organizational perspective, one of the most important measure is employee education and awareness. Most cyber attacks rely on tricking people into taking actions that expose the organization to risk, such as clicking on a malicious link or sharing sensitive information. By educating employees about the types of threats they may encounter and how to identify and avoid them, organizations can significantly reduce their risk of falling victim to a cyber attack. Building an organization with high security awareness requires to raise the employees’ awareness, since 15% of all security-relevant incidents can be traced back to phishing emails (Verizon 2020 Data Breach Investigations Report). This is usually done via awareness trainings and phishing mail simulations (see CyberCompare article on this “How Security Awareness Protects your Business”).

Organizations should have a clear plan in place for responding to a cyber attack, so called emergency or crisis plan. On the one hand, this may include procedures for identifying the attack, containing the damage, and restoring affected systems and data. On the other hand, it outlines all necessary steps to help the organization manage any public relations issues that may arise in the wake of an attack. It’s best, if the plan is known to all relevant stakeholders, safely stored and tested on a regular basis.

From a technical perspective, the use of robust and state-of-the-art security technologies is mandatory. As with the ISMS, there is no one-size-fits-all technology stack, as the combination of cybersecurity technologies will depend on the specific needs and risks of the respective organization. 

That being said, there are some general principles that can help organizations choose the right technologies for their needs:

  • Consider the types of threats the organization is most likely to face: Different technologies are designed to protect against different types of threats. For example, a endpoint detection & response (EDR) system will help to safeguard endpoints like notebooks, servers and smartphones, while a firewall will focus on identifying and preventing unauthorized network access.
  • Technology management effort should fit your organization: Cybersecurity technologies that are difficult to use or require a lot of maintenance can be a burden on the organization and may not be used effectively. It is therefore important to select technologies that fit your company’s operating model or to operate them together with a trusted partner.
  • Consider the organization’s budget: A cybersecurity technology stack can get expensive quite easily, so it is important to consider the organization’s budget when choosing technologies. It may be necessary to make trade-offs between different technologies in order to stay within budget constraints.
  • Don’t rely on a single technology: No single technology can provide complete protection against all cyber threats. It is important to use a combination of technologies in order to provide the best possible protection.
  • Regularly review and update the organization’s technology stack: Cyber threats are constantly evolving, so it is important to regularly review and update the organization’s technology stack to ensure that it is still effective at protecting against current threats.

In sum, a good combination of cybersecurity technologies is one that is tailored to the specific needs and risks of the organization, is easy to use and manage, fits within the organization’s budget, and is regularly reviewed and updated to keep up with evolving threats.

Overall, cybersecurity is an ongoing process that requires continuous monitoring and updates to stay ahead of evolving threats. By taking a proactive approach and implementing a range of measures, organizations can significantly reduce their risk of falling victim to a cyber attack and protect themselves from the potential consequences. That’s exactly where we as CyberCompare help our customers. As trusted advisor we condu

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.

Cyber Summit - Bridging IT & OT Security
18. April 2024 | 08:30 AM - 12:15 PM | Virtual Event