An organisation’s people are a crucial feature in achieving best practice in cyber security, writes David Mudd, global head of digital trust assurance at BSI
Most organisations acknowledge the importance of their people in cyber resilience, but many also struggle to understand and apply best practice.
It is a crucial issue for the public sector, which has become a prime target for cyber criminals and state sponsored attackers – as seen in recent attacks on local authorities and NHS organisations – and the adoption of appropriate standards can do a lot to strengthen defences and the capacity to respond to and recover from any incidents.
This is where the ISO/IEC 27001 standard can be an important element of any public sector body’s security posture, providing a framework for best practice that places a strong element on the human factor.
It is an area in which BSI – a not-for-profit organisation that helps deliver solutions to society’s biggest challenges – has deep experience in supporting efforts to use digital for the public good.
Threat trends
It has identified the key trends in cyber security as: the massive growth in cyber crime, expected to hit $10.5 trillion worldwide in 2025; the fast evolution of ransomware, which is now being traded in the criminal economy as-a-service; a shift of focus to attacks on the supply chain, placing extra demands on due diligence for cyber security; and a big increase in the number of common vulnerabilities and disclosures.
But the vast majority of incidents are still triggered by human actions. Organisations can install firewalls and antivirus software, but all of these can be breached if people make mistakes.
This makes it important to pay attention to the mental wellbeing of employees at all levels, and to ensure they understand best practice and their own responsibilities, not just around the trigger points for cyber incidents but in what happens before and after. This is absolutely critical to cyber resilience.
There are UK frameworks that provide important support, such as Cyber Essentials and the Cyber Assessment Framework, and an international standard for best practice – ISO/IEC 27001. It is a management system for information security that , can be aligned with the national frameworks, covering confidentiality, integrity and availability, and supporting a holistic approach to managing the technical, cultural and personal issues that affect resilience.
It includes 90 security controls – which can be applied with some flexibility – and requirements for managing cyber security, privacy protection and the digital supply chain. But it goes beyond ‘building the wall’, with a focus on organisational engagement and building a culture of digital trust, and with a governance aspect that goes from top to bottom of an organisation.
'Plan, do, check, act'
It is all risk based, reflecting the approach favoured by the UK Government, applying the structure of ‘Plan, do, check, act’.
The planning involves looking at the context of the organisation, taking into account its regulatory, legal, contractual and other external commitments and obligations; and requires buy-in from the leadership, with commitment to a policy and a formal statement. These are reinforced by ensuring people know their roles and responsibilities, and that the necessary resources are in place; then by delivering a risk assessment focused on the needs of information and cyber security and going through the whole of the operation.
The operation is accompanied by an evaluation of performance to ensure it is achieving its aims, then comes an equally important effort for continual improvement. This reflects the fact that resilience is not about ‘one shot’ measures but acknowledging that cyber attackers are continually finding new routes and methods, and that protections and responses have to evolve to meet the new threats.
ISO/IEC 27001 does not solve every cyber security problem, but provides an overarching framework to bring sector-specific guidelines into one place with a holistic viewpoint to be shared with leaders and co-workers. This is a rock on which to build digital trust.
The BSI contribution
BSI can provide support in meeting the standard with a wide range of training offers: from simple, on-demand courses to understand the basic principles, to managing a detailed implementation, how to carry out an effective cyber security risk assessment and how to embed all aspects of an information security management system in an organisation.
It can also guide organisations towards certification for the standard, followed by support in ensuring it continues to comply.
At the heart of this is the recognition of the human factor in cyber resilience, working to ensure that people know what they have to do keep their organisations and the public secure.
It’s about more than not clicking on the wrong thing, but about everyone in the organisation, and everything that happens before, at the time and after an event. We provide support for best practice in helping every organisation build a resilient, trusted digital future.
Find out more about ISO 27001 certification and related training courses here
Watch David Mudd's presentation: