Security lock on digital devices

Avoiding data breaches with ISO 27001

Cybersecurity is a big concern for all businesses. Data breaches cost big money and loses companies the trust of consumers. People want to do business with those who prioritise protecting their information. How do you protect business data against cyber breaches?

 

 

Cyber criminals targeting small business

The 4iQ Identity Breach Report 2019 found cyber criminals now focused on small businesses with a 424% increase in data breaches since 2017. So having ISO 27001 NZ certification tells the world you take information security seriously. And can be a deterrent.

When you implement ISO 27001, you understand how and what information your organisation collects, stores and uses and your responsibilities. It also means your business has a culture of security where all members of staff take responsibility for information security. ISO 27001 gives you opportunities for continual improvement. By measuring and analysing changes, you can identify risks and opportunities to improve information security across the business.

 

 

Cybersecurity best practices

Cyber criminals are turning their sights to small and medium businesses, probably because they consider them an easier target. So it is important to make sure you have comprehensive cybersecurity policies for staff to follow. And you need everyone to take these policies seriously for them to be adequate. You can have the best software on the market and cybersecurity policies but if no one uses or follows them, they are likely to fail.

 

To protect the organisation from hackers, some cybersecurity best practices include:

  1. Use strong password protection. Use strong passwords that are at least 10 characters long with a mix of lowercase and capital letters, symbols and numbers. Changed them regularly. Also consider using multi-factor authentication for signing into company systems. 
  2. Do not open links, emails or pop-ups from unknown sources. Phishers prey on employees tempting them into opening links, emails or pop-ups that have malicious software embedded. Once someone clicks on it, it can give the hacker access to the organisation’s computer systems. Implement software that blocks suspicious emails and sends them to a quarantine file where you can check their authenticity.
  3. Software updates. Update software, especially security software, when updates become available. Anti-virus software and malware have frequent updates to respond to the latest threats. 
  4. Backing up data. This is so simple but something too many small and medium business do not do. Back up your data. Have a policy that ensures all data is backed up weekly or daily and store a copy offsite. This makes it simple to restore your computer systems and information if there is a data breach.

 

ISO 27001 helps prevent data breaches

ISO 27001 gives you the information security framework to help prevent data breaches. But you cybersecurity strategies must remain agile in response to a changing environment.

 

 

Accreditation helps to:

  • Put clear training policies and practices in place for employees.
  • Identify gaps in security systems to implement solutions.
  • Give a competitive advantage in the industry.
  • Build trust in the organisation.
  • Demonstrate compliance to government legislation and regulations.
  • Win new clients and customers. 
  • Decrease the risk of a cyber-attack.

 

So if information security is a priority, contact us for more information about ISO 27001 certification. We can show you how to protect your information, earn consumer trust and grow your business so it reaches its potential. 

iso-27001-laws

The laws and regulations around information security

In a number of weeks on December 1, 2020 amendments to New Zealand’s privacy laws come into effect. On June 30, 2020 the Privacy Bill, which amends the Privacy Act 1993, received Royal Assent.

The Privacy Bill and Act applies to anyone doing business in New Zealand regardless of where you live. The changes are significant and include:

  • Making it mandatory to report data breaches.
  • Restrictions to cross border transfers of personal information.
  • Clarifying extraterritorial scope.

Mandatory reporting of data breaches

Under the new mandatory reporting, organisations must report data breaches to the Privacy Commissioner and to the individuals affected where they cause or could cause serious harm. The Privacy Act offers guidelines for assessing serious harm such as:

  • What harm affected individuals could suffer.
  • The action taken to minimise the risk following a data breach.
  • How sensitive the personal information is.
  • If known, who accessed, or could access, the personal information after the data breach.
  • What measures were in place to protect personal information.

While you can delay notifying individuals of a data breach in some circumstances, protecting your reputation is not an acceptable reason for a delay.

 

 

Cross-border data transfer restrictions

The Privacy Bill includes restrictions on cross border data transfers. You must have permission from individuals to transfer personal data outside of New Zealand. Before transferring any data, you must also check the receiver has similar privacy standards as New Zealand.

One important exception is when transferring data to a cloud provider. Transferring data to the cloud does not usually mean you are disclosing personal information overseas. This is particularly important as there are currently no cloud data-centres in New Zealand.

 

 

Clarifying extraterritorial scope

The Privacy Act will apply to anything an overseas organisation does as part of doing business in New Zealand. It does not matter from where you collected the information or where the individual resides.

The Privacy Act considers you as carrying out business

  • Whether you have a physical presence in the country or not.
  • Charge for goods and services.
  • Profit from doing business in the country.
 

Enforcement penalties

The amended Act gives the Privacy Commissioner enhanced powers including:

  • Shortening the amount of time you have to comply with an investigation.
  • Penalties for noncompliance increasing from $2000 to $10,000.

The new amendments also introduce the potential for criminal penalties and class actions in some circumstances.

 

 

Are you ready?

December 1 is only a few short weeks away. Are you ready for the Privacy Bill amendments to come into force? You may need to update your information security systems and processes in order to comply.

Contact us now to find out more about the changes and to check whether your organisation will be ready to comply. You need to prepare for the new privacy laws now before it is too late.

Woman using computer

How ISO 27001 Works

ISO 27001 is a risk management standard for protecting your organisation’s information. It is an Information Security Management System (ISMS) that monitors, reviews, maintains and improves how you deal with your information and the data you collect.

Using ISO 27001 NZ allows you to:

  • Identify potential security risks to business information for insight into vulnerable areas.
  • Establish a management system to control how and where you store information and how to use it.
  • Provide a framework for implementing and managing information controls.
  • Manage compliance with regulations and laws.
  • Outline information security processes, policies and standards for the organisation.
  • Maintain a process for managing your information security policy into the future.
  • Inform employees and third party contractors of the risks and process for incident reporting
  • Set objectives for managing information security.
  • Keep IT systems updated with the latest protection.
  • Put in place system access controls.
  • Monitor system and user activities.

 

How it works

ISO 27001 works from the top down. It is technology neutral and uses a risk based approach. Implementing an ISMS means your organisation establishes security controls in a structured manner. Without an ISMS, companies often implement controls for specific situations or as a convention. But these normally only address aspects of IT or data security and soon become disorganised. This leaves other assets such as company paperwork and proprietary knowledge lacking in protection.

Putting an ISMS in place minimises the risk of security breaches that can negatively impact your business. Information breaches will damage you company reputation and can cost you a lot of money when it falls into the wrong hands.

A business that achieves ISO 27001 certification demonstrates it:

  • Protects information from unauthorised access.
  • Ensures accuracy of the information.
  • Ensures information can only be changed by authorised users.
  • Has assessed the risks and put controls in place to mitigate the impact of any breaches.
  • Was independently assessed and meets international standards.

An ISMS does not guarantee that breaches will never occur but it:

  • Increases the reliability and security of your information and systems.
  • Improves customers confidence in your business as it aligns with their expectations and requirements.
  • Increases the resilience of your business.
  • Improves your management processes and integration with corporate strategies.

 

Risk management is central

Risk management is central to ISO 27001. It does not tell you how to protect your information. ISO 27001 provides a framework. You complete a risk assessment and then decide what controls the business needs to protect your information.

A robust ISMS reduces your risks, disruptive activity and costs. It also boosts your reputation and trust in your business.

To discover more about how ISO 27001 works, contact us today. We can show you how establishing an ISMS protects your information.

Hands typing on a keyboard

How to know if your business needs an ISO 27001 Certification

Information and data is the essence of most organisations. It is a source of intelligence that can provide a competitive advantage and drive the success of future plans.

Your data is usually stored electronically so you need to protect it from accidental or deliberate loss. Data and information is a business not an IT problem. The use of ISO 27001 – Information Security Management System (ISMS) gives you a framework to protect and manage critical information and data effectively.

Hands typing on a keyboard

Cyberattacks and data theft are more common than ever, and staff make mistakes. If your business does not have policies and procedures in place, it becomes easy for hackers to steal data. ISO 27001 certification demonstrates your commitment towards minimising security threats and gives customers confidence in your business. Certification improves credibility and your value proposition. It gives customers confidence.

 

You want to avoid potential costs of a security breach

Security breaches have a potential to cost your organisation not only a lot of money but loss of reputation. Implementing ISO 27001 demonstrates your proactive approach to protecting information so if there is a security breach you may avoid heavy fines and penalties.

An ISMS gives you the ability to make informed decisions based on risk management and continuous improvement.

 

You want to maintain data privacy and integrity

All organisations are responsible for maintaining the privacy and integrity of the data collected. An ISMS helps to secure and reduce data breaches. Implementing ISO 27001:

  • Gives organisations storage and access control of data. You can safely use and destroy it effectively using organisational processes and procedures.
  • Ensures the protection of data which reduces the likelihood of clients’ losing trust and suing you for data breaches.
  • Means you have the processes and procedures in place to quickly detect a breach so you can take appropriate action.
  • Allows a systematic approach to identifying, managing and reducing threats to your data.
  • Ensures the integrity of data using access controls, and procedures for backing up and organising data.

 

Information security should be a priority

Information security should be a priority for all organisations. As technology gets smarter, so do hackers. They will stop at nothing to breach and compromise sensitive data to use to their own ends.

You may think you have good control of your information. But how effective these are depends on how you monitor and control your security management processes. A short-sighted approach is having security controls for only specific IT areas. This then poses a threat to assets that are not IT-related. Implementing ISO 27001 overcomes these issues. Certification guarantees customers your organisation uses best practice methods to secure the collection of data and information.

Achieving and maintaining ISO 27001 certification has many more advantages. To find out if your business needs certification, contact our ISO specialists. We pride ourselves on helping New Zealand businesses grow to their potential.