Is lack of information security a real threat? The old saying goes that you either have already implemented information security regimes and tools, or you will do. Though ISO 27001 certification will surely not eliminate all cybersecurity threats, it is definitely a solid start.
Malware vs. ransomware and why do they matter?
There are two main categories of software infections: malware and ransomware.
Malware, or malicious software, is any piece of software that was written with the intent of doing harm to data, devices, or to people. Types of malware include computer viruses, trojans, spyware, ransomware, adware, worms, file-less malware, or hybrid attacks.
Ransomware is malicious software that threatens you with harm, usually by denying you access to your data. Ransomware attacks are often deployed via social engineering tactics. Once a user falls victim to the attack, their data is encrypted and sold for ransom.
How much one can lose due to cyber-attacks?
- 2021 – Kaseya suffered a ransomware attack compromising up to 1500 companies with a staggering ransom note of $70 million.
- 2021 – Saudi Aramco experienced a data breach exposing sensitive data on employees and technical specifications of the organization. Threat group ZeroX is demanding a payment of $50 million.
- 2021 – Accellion file transfer application (FTA) data breach impacted over 100 companies, organizations, universities, and government agencies around the world.
- 2021 – Pulse Secure VPN zero-day was exploited. The attack hit several undisclosed defense firms and government organizations in the United States and Europe.
- 2021 – Solarwinds fell victim to a nation-state supply chain attack. It impacted both government agencies and fortune 500 companies.
- 2020 – Marriott hotel chain disclosed a security breach. It has impacted the data of more than 5.2 million hotel guests who used their company’s loyalty application.
- 2020 – MGM Resorts suffered a massive data breach. This resulted in the leak of 142 million personal details of hotel guests.
- 2020 – 500,000 stolen Zoom passwords available for sale in dark web crime forums.
- 2020 – a ransomware attack and a data breach hit Magellan Health. 365,000 patients were affected in the sophisticated cyberattack.
- 2020 – Twitter breach well-coordinated scam made attackers swindle $121,000 in Bitcoin through nearly 300 transactions.
The total estimated cost of cyber attacks
Is ransomware or malware really a threat for small companies?
Imagine you are a dog owner. You enjoy long walks with your dog outside of the city. You track the route, make fancy pictures that you share with your friends.
Now imagine, someone who is not your friend gets this data. They may learn a lot about your habits, your daily routine, and when there is no one at home…
Usually, when you start a new project in an agile software house like SolveQ, you work on delivering the business value as fast as possible, trying new features, and adjusting the product.
Then, at some point, sometimes just before the product launch, that you have to also do the proper analysis of the information security setup. How to audit and prevent a stranger to access data? How to make sure your competition has no access to the project details and information?
The further, you go with the analysis, the more you realize that the threats are very real. You then discover tools and procedures to prevent potential issues.
An easy way to get ISO 27001 certified.
A huge advantage for mid-sized companies like SolveQ is cooperation with a bigger partner, armed with the necessary experience, cybersecurity team, and procedures. From the moment we started our discussions on how to ensure data protection, Telenor security team was a great help for us.
One of the important decisions was what type of security guidelines we would like to follow and implement: ISO 27001 or SOC 2. Both are similar in terms of requirements, but SOC 2 applies to the USA market. Hence, the natural decision was to follow ISO 27001.
The next step was to identify what do we already have, what do we need, and how to fill the gaps. Our decision was to work with an external, certified partner. Together we’ve initiated a 4-months long project, which consisted of the initial audit, preparation, implementation, and the final audit.
The audit has proved that we are ready to go back to Telenor and ask them to validate our current step. We’ve discussed their particular security requirement and then held an internal workshop. The key topic was how prepared is SolveQ and its employees. Lastly, we’ve had a Telenor audit and discussion.
A very promising and satisfying fact was that out of about 40 detailed requirements, the audit discovered just one partially compliant aspect. All other SolveQ cybersecurity aspects were satisfactory and up to the present-day standards.
Our information security project and cooperation with Telenor proved that we are aware of the potential risks and threats. We’re constantly working on preventing them from happening and we have a solid plan to further improve our readiness.
Are we done with ISO 27001?
Our journey is not yet even close to the end. The crucial step will be to complete the full ISO 27001 certification path. This step will give us more certainty that all the necessary procedures are in place and followed on a daily basis. More importantly, we’ll be able to tell our customers that their data is completely safe with us.
Stay tuned for the next article – our step-by-step guide on how to complete the ISO certification.