ISO 27001 the required fit for tackling the sophisticated nature of cybercriminals

Cybersecurity is rated the second topmost global risk the world will face this year. The risk situation is exacerbated by the fact that cybercriminals are increasingly rendering security measures by organizations obsolete. 

The World Economic Forum Global Risk Report released this year placed cybersecurity in the second spot of the top 10 global risks the world will face in 2023 after climate change.

The global cost of cybersecurity this year is estimated to stand at about 8 trillion dollars and will move up to 10.5 trillion dollars annually by 2025, the same report indicates.

The report keenly observes that cybersecurity measures put in place by businesses, governments, and individuals are increasingly being rendered obsolete by the growing sophistication of cybercriminals.

We already see this happen in Uganda, where we have witnessed cybercriminals gain illegal access to organizations’ security systems and compromise them. For example, telecoms, banks, and other organizations have had their systems infiltrated in the past and many were left counting losses.

The, an online publication of the CEO-Magazine, chronicled in its article titled “Special Report: Inside the Multi-Billion-shilling Financial Hydra in Uganda’s Financial Sector and the Industry-wide Ambitious Proposal to Cut Off Its Many Heads” how cybercriminals have in the past managed to infiltrate the security systems of several financial institutions, transferring billions of shillings.

For example, the CEO reported in its article how between 2nd Friday and Saturday, October 3, 2020, hackers hit the system of Pegasus Technologies, a Ugandan-based payments aggregator and gained access to the online vendor accounts of various banks, and made off with UGX10.5 billion. The CEO further reported how cybercriminals in April and May 2022 hacked into the system of UGAFODE Microfinance, stealing $400 million.

In such a projected volatile cybersecurity outlook, a seasoned information security expert has said standards could be the saver from cybersecurity issues especially when measures by organizations are increasingly being rendered archaic by cybercriminals. 

Mr. Wafula Rombosia, an expert in information security and the managing partner and principal consultant on ISO management systems at Sleek Management Consultants, said much as organizations have different cyber security controls, the robustness, and adequacy of the controls are very crucial.

He said the robustness and adequacy of cyber security control measures can only be determined when the controls are analysed against some universally accepted parameters that standards (ISO 27001) provide.

“Everyone has a control measure; everyone thinks it is adequate; there are people who lock their documents in a wooden cupboard as a security measure, but how effective is it? It is only effective depending on who has access to it. You can decide to keep your documents in a wooden cupboard and put a padlock on it; all it takes is for someone to come and open the padlock. You may then decide to use digital padlocks after the break-in, which is an improved measure. The other person can come and say the padlock is powerful enough this time. What do I do? They just break the door because it is wooden. Then you may decide, if they are breaking wooden doors, let me buy a metallic safe, but is it fireproof? because if there’s a fire in the house, in as much as the document is not stolen, it will get burned, so you lose. In universities, they have certain controls to ensure that when they set their exams, they don’t leak to the students, but don’t exams leak? What makes them leak? Now those are the things that the standard (ISO 27001:2018) will guide youto identify and resolve.” Mr. Wafula said.

He said the concept of cyber security depends on what is it that you have that somebody will want and what is your level of protection against the threat. ISO 27001 gives you the foundation and certain parameters on which to analyse your organization’s vulnerabilities and measures of protection to determine if they are robust enough.

The standard analyses the possible threats that could occur due to existing weaknesses in the people, organization policies, and the technology being used. He said one of the greatest challenges is that you can have a great system, but the weakest part is on the person, and a person is a threat both by accident and deliberately. Some people share company information for a token, and others do it out of ignorance. So, you must have control over such issues.

Information security is about protecting the confidentiality of the information, the correctness of that information, what in information security lingo is called the integrity of the information, and the availability of that information. Confidentiality, according to Mr. Wafula, means ensuring that information is not shared or accessed by unauthorized people. Integrity is ensuring that the information that you have, or present is complete because information ceases to be complete if part of it is hidden. Availability means ensuring that the information gets to the authorized people when it is needed and at the time when it is requested.

According to Techtarget, while businesses try to protect their sensitive files from attack, people/customer information is stored in vulnerable databases all over the world. This is a breeding ground for cybercriminals that can easily be resolved by the holistic approach provided by ISO 27001.

The objective of ISO 27001:2018 is to protect the confidentiality, integrity, and availability of information by examining if your security system is strong enough in case somebody wants to access your information and if you have controls in place to stop them.