As time goes by, the technological world is changing faster and faster, and it is clear that the new generations are setting the operational challenges within organizations.
We no longer only have to worry about the management and knowledge of the business. Now we must consider everything that involves its execution, as well as everything that interacts and is involved with it, both suppliers and consumers, whether individuals or organizations, since everything is part of cyberspace. By this I mean to leave no stone left unturned and in this text I will call it "The Whole" since everything is directly or indirectly part of the success or failure of our business..
I would like to point out that technologies today have become one of the main tools of value for organizations, even in our daily lives, since we are all part of cyberspace and interact with it and therefore it is one of the greatest challenges of control. It is therefore prudent for organizations to adopt or define new standards, which govern and consider a plan of action for any incident that may present a risk to the organization, allowing adaptation to the particular and general environment to improve and ensure the proper and safe processing of data.
According to a survey conducted in 2015 by ISACA, 46% of respondents were expecting to face a cyber-attack in 2015. In this survey, 86% stated that there was a global shortage of qualified personnel and 38% felt prepared to defend against sophisticated attacks, the increase in cyber attacks is imminent.
According to Kaspersky in Latin America they grew by 59% in 2016, 2017 by 2018 they continue to increase by 18%, by 2019 by 67%, with this rate the rate of increase is moving at a great speed, also now cyber attacks are costing companies many billions of dollars, the economic impact also grows in proportion to the attacks.
While we are facing every day higher information security costs, there is a lot to be done. Companies have to invest more in cybersecurity to minimize the cost of incidents that may occur and for that reason it is necessary to implement strategies and recovery steps in order to have a company with a good risk management. If you want to implement your security strategy, we can help you.
It is well known that all Risk Management is closely related to compliance and information governance, so I would like to take as a reference the phrase quoted in the ISO27032 standard where it indicates that "Cyberspace does not belong to anyone and everyone can participate and have an interest in it".
This standard defines cyberspace as a complex environment resulting from the interaction of people, software and services on the Internet through technological devices and networks connected to it that does not exist in any physical form.
The adoption of this standard may represent a good challenge for organizations that are suppliers or consumers of cyberspace, since they have vast control considerations, without being a strict requirement in terms of management commitment, remembering that it is not a certifiable standard but it is an orientation guide of good practices in the cybersecurity environment, since it contemplates the importance of cybersecurity domains (Information Security, Application Security, Network Security, Internet Security and CIIP-Critical Infrastructure Security) by providing Security Technologies, Techniques and Guidelines that address as a first area of focus the problem of gaps between domains and the lack of communication between organizations and cyberspace providers, and as a second area the collaboration that refers to the efficient and effective exchange of information between stakeholders (consumers and providers).
The ISO27032 standard provides technical guidance for addressing common cybersecurity risks that include:
It delivers controls to address risks including: attack preparedness (malware, crime, criminal organizations), detection, monitoring, response and readiness, awareness represents security challenges as it involves educating for a major shift in awareness and culture in the organization and to be frank no one likes to modify already established practices.
An example of this is that instead of using their old and beloved password "1234", suddenly, they find that it has to be changed every 90 days and in addition to 8 characters, of which at least one must be a number and a special character and among this example there are many more, that until a good awareness work is done within the organization will continue to represent a risk and discomfort of operation.
Protecting ourselves and applying general security in cyberspace is still a very ambitious goal, but we should aim to achieve a constant level of maturity. With the above we will surely ask ourselves how we have improved yesterday vs today, I believe that everything can be measurable with the reduction or increase in the number of incidents, so it is very important to identify the technical and regulatory tools that fit the goals and objectives of your organization.
Cybersecurity management should consider maintaining a strategy aligned to policies and controls that allow you to maintain a culture of cybersecurity and a more reliable environment, existing standards are not only to make the process more complex, they are to provide a reference guide that allows a sustainable maturation and scalability in a complex environment that can be transformed at any time.
This is why we should consider sticking to the standards already written, in order to create strategies to cybersecurity processes for our business.