Information Security – are you safe?
IT systems are crucial to the way in which we conduct business today. Few companies could trade without access to electronic information. A startling 97% of businesses have an internet connection, four-fifths have a website and only one in six small companies could operate their business without their IT systems.
So ask yourself. How would your business be affected, if your IT systems were down for a couple of days, valuable data was lost or corrupted or a disgruntled employee simply walked off with confidential data? Results from the latest DTI-sponsored Information Security Breaches Survey 2006* shows that the median number of incidents suffered is around eight a year - up from two years ago – therefore if you do suffer a serious security breach it may not just be an isolated incident.
The DTI Survey puts the cost of security breaches to UK plc at around ten billion pounds per year. While the results show that the dramatic rise in security incidents over the last few years appears to be levelling off, it’s recognised that new technologies pose particular security threats for the future.
Three-fifths of those surveyed believe it will become harder to detect security breaches in the future. This would support the feeling that UK business is failing to prepare for a more technology-focused form of guerrilla warfare.
There are however some simple steps that can be taken to reduce the risk of a security breach and they needn’t cost a fortune. The development of an information security management system (ISMS) can help you manage and control your risks.
The DTI recommends compliance with the ISMS standard, ISO/IEC 27001. Internationally recognised as a useful management tool in the battle against a wide range of information security hazards, ISO 27001 provides a best practice framework to identify, analyse and then implement controls to manage information security risks.
The DTI first published the standard - then known as BS7799 - in 1995. It is perhaps surprising therefore that out of those surveyed, only one in ten organisations were aware of the standard’s contents.
“Good information security is not just the preserve of the IT department – it is a business issue - and those organisations with a quality management system already have the basis for an ISMS,” argues Geoff Brooks, Technical Services Manager. “One commonly cited reason for not adopting ISO 27001 is the cost. And in terms of costs – have you thought about the cost of not having good security? A managed approach to security means that budget is spent wisely – a case of improved security at lower cost.”
“And for those companies using a ISO 27001-compliant system which hasn’t been independently assessed, there are additional benefits to be gained from certification. In some cases, there may only be a minimal amount of work needing to be done before a formal visit,” concludes Geoff.
* Information Security Breaches Survey 2006. Department of Trade and Industry. Managed by PricewaterhouseCoopers. April 2006. URN 06/802.
 |
Information on LRQA assessment services to ISO 27001 |
Lloyd's Register Quality Assurance • A member of the Lloyd's Register Group
