- 199 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
About this book
A comprehensive guide to managing an information security incident
Even when organisations take precautions, they may still be at risk of a data breach. Information security incidents do not just affect small businesses, major companies and government departments suffer from them as well. Completely up to date with ISO/IEC 27001: 2013, Managing Information Security Breaches sets out a strategic framework for handling this kind of emergency.
The book provides a general discussion and education about information security breaches, how they can be treated and what ISO 27001 can offer in that regard, spiced with a number of real-life stories of information security incidents and breaches. These case studies enable an in-depth analysis of the situations companies face in real life, and contain valuable lessons that your organisation can learn from when putting appropriate measures in place to prevent a breach.
Understand what your top information security priorities should be
The author explains what your top priorities should be the moment you realise a breach has occurred, making this book essential reading for IT security managers, chief security officers, chief information officers and chief executive officers. It will also be of use to personnel in non-IT roles, in an effort to make this unwieldy subject more comprehensible to those who, in a worst-case scenario, will be on the receiving end of requests for six- or seven-figure excess budgets to cope with severe incidents.
About the author
Michael Krausz studied physics, computer science and law at the Vienna University of Technology, Vienna University and Webster University. Over the last 20 years he has become an accomplished professional investigator, IT expert and ISO 27001 auditor, investigating over a hundred cases of information security breaches. He has delivered over 5, 000 hours of professional and academic training, and has provided consulting or investigation services in 21 countries.
Buy this book today and better understand how to manage information security breaches in your organisation.
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
- Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
- Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere ā even offline. Perfect for commutes or when youāre on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Managing Information Security Breaches by Michael Krausz in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.
Information
PART 1 ā GENERAL
CHAPTER 1: WHY RISK DOES NOT DEPEND ON COMPANY SIZE
What is the real worth of the USB stick you just bought for Ā£15? After a year, if you included it as a short-term cost item in your accounts, it would not be worth anything. On the other hand, if it contained all the latest data of your research project which was bound to pay off in a couple of years, then it would be worth pretty close to infinity or, at least, the future of your company.
It is not easy to define risk or what taking a risk really means. Sometimes people try to use probabilities and ALEs (Annual Loss Expectancy); sometimes damage or the propagation of damage along a business process is included; sometimes risk is described as a vector of vulnerabilities and threats (which is the favoured way to see it in the information security world); and sometimes it is described by the options available for action. We will not try to give you a comprehensive, all-encompassing definition. We just want to make a couple of points: that risk permeates your company or corporation from top to bottom, from head to toe and, particularly, that risk and information security risks do not in any way depend on the size of your company.
This latter point is important, as companies sometimes tend to underestimate their exposure and to overestimate their resiliency (cf. ātoo big to failā as a banking sector paradigm). There is no such thing as ātoo big to failā in the information security world; a well-organised incident can bring down empires or, at least, damage them so much that recovery can take years, if it even remains affordable. It is true, however, that there are distinct differences in how companies can cope with, and avoid, incidents. Some avoidance and treatment options are largely based on size, but, then again, size is measured here as in ācash availableā, āreserves availableā, āspeed to implement treatment optionsā, and so on. Company size, measured, for instance, by number of employees or locations, does not really mean anything in regard to information security risks.
Let us briefly state the definition of company sizes as used in this book. For our purposes, a company with up to 100 employees is considered small; 100 to 1,000 is considered medium; and 1,000+ is considered large. For the sake of clarity, we will not take into account revenues, cash or profits, and we will not consider that these sizes may all be considered small in some countries or may fit another countryās business structure perfectly. As a real-life example, consider an actual company in the medical sector, with only 300 employees, that makes more than a billion euros a year selling its specialised devices.
Let us, first of all, give a brief definition of risk in the information security world. The most commonly used, most practical, approach today is to define risk as a vector of vulnerabilities and threats, with some likelihood and damage levels associated later. A vulnerability is a weakness that can be exploited by an associated threat and is based on properties of the system(s) and process(es) you are using. Vulnerabilities are inherent in IT systems, your physical location, and your processes, because of their design and their inherent characteristics.
A threat is an event or process that can (ab)use these vulnerabilities to cause harm to the confidentiality, availability or integrity of your system (all assets considered as one) or systems. A threat can be man-made or natural; its associated damage can be caused by malicious intent, by accident or by technical failure.
If a vulnerability has a corresponding threat, then a risk clearly exists. The level of risk will depend on the measures already in place, and will be higher, the less effective these measures are. If a vulnerability does not have a corresponding threat, or if a threat exists, but without corresponding vulnerability, then the risk resulting from such combinations is simply zero. Once it has been determined whether a risk exists or not, one will usually factor in the following:
ā¢ the likelihood of the risk materialising;
ā¢ the direct damage caused by the risk materialising;
ā¢ indirect damage throughout a chain of business processes;
ā¢ the cost of mitigating measures;
ā¢ business priorities of mitigating measures.
In bringing together all of the above, a risk analysis is duly completed (more on that in the following chapter) which will show management what the situation of the company is, and what can be done about it in both the short and the long term. But, to return to the subject of this chapter, none of these factors depend in any way on company size. There is only one question of paramount importance that illustrates our point:
How much damage will this particular risk do to my company?
If you look at some risks, for example, the German Baseline Protection Manualās list of threats and vulnerabilities, you will find that some risks can hit you severely, while others are irrelevant, but none of these will have anything to do with the size of your company.
Some risks are almost trivial, such as a CEOās child running some CD in the office and unwittingly importing a virus; some risks are elaborate and require malicious intent, such as social engineering or corporate espionage; but, as this example shows, it could happen anywhere, and it could do the same fundamental damage to any type of company (though larger companies tend to be better prepared).
Consider research-driven companies for a moment. There are large pharmaceutical companies and technology businesses that invest billions in research, and competitors who think that stealing, rather than investing, would be a good strategy. Hence, a threat for the former companies exists. But there are also a number of medium-sized companies who are leaders within their niche, invest heavily in research on a slightly different scale of millions instead of billions, and therefore have the same fundamental risk profile. Based on their cash reserves, a medium-sized company may even be better equipped to survive a fundamental information security breach; in general, though, the level of preparedness tends to be less evolved, but, nevertheless, the nature of the risk is exactly same and, on a carefully chosen risk level matrix, the risk level would most probably also be the same.
So far, we have focused on the effect of the risk in relation to the company, and demonstrated that the risk does not depend on the size of the company. Let us look at another aspect: preparedness.
Preparedness for an incident depends not on company size, but, rather, on its culture. That culture can be highly evolved or not present at all, but, again, it will not depend on size. In smaller companies (fewer than 1,000 employees) company culture can be much more refined, and can be carried by a mid-level of highly motivated managers who identify with, or admire, the founder or founding partners. In such companies, personal contact with the owner or founder usually occurs regularly. On the other hand, larger companies (over 1,000 employees) can easily evolve into bureaucracies, where people do only what they are asked to do. In such a culture, establishing a new view on risks, or security as a whole, is difficult and can take some time (often up to two or three years). Furthermore, larger companies have a tendency to underestimate the value of building awareness, and concentrate on measures they perceive as being more cost efficient or just cheaper. For example, one defence sector company thought that, instead of a fully-fledged awareness programme involving classroom training and Q&A sessions, handing out CDs and making staff take an online exam would be enough. Unfortunately, this is not always the best way in which to pass on this kind of information.
Next, we will look at the relevant factors for treating or avoiding information security incidents, and examine whether any of these are connected to company size.
Risk effect
As mentioned above, risk effects do not depend on company size for severe risks. Big companies usually do better at keeping a risk from spreading all through the company (downstream effects), but this is countered by the ability of small companies to act promptly and without much bureaucracy. If we measure the risk effect in qualitative terms from ālowā to āsubstantialā to āextremeā, then a risk can hit all types of companies equally hard.
Small companies are often less well prepared, and do not quite structure their efforts, adopting a more ad hoc approach, so the effects on them tend to be more disruptive and less controlled than in larger companies which have implemented a fully-fledged information security programme. If we focus on the general effect of any given risk, however, the effects and their range are strikingly similar.
Propagation of damage (downstream effects)
Propagation of damage occurs when damage caused by a risk that has materialised propagates through a business process or a number of business processes. Bigger companies tend to have an advantage, as their business processes are generally more tightly controlled, whereas smaller companies usually face severe customer chagrin and loss of business if damage propagates through a chain of processes. As an example, consider the following scenario.
A medium-sized bakery produces bread to be used by a fast-food company. Imagine one of the baking machines not working, due to some IT failure. The bread will not be delivered and, apart from fast-food customers staying hungry (or eating healthily for a change), contractual penalties may be invoked, further elevating the damage level caused by risk materialisation.
In the automotive industry, a failure at one supplier can propagate through the entire chain of production, causing a standstill at the main factory.
Culture
How risks are seen and treated before they actually materialise is based on a companyās culture. In smaller companies, the culture is directly carried by the opinions and attitudes of the IT manager, the managing director, or the owner(s). If the IT manager (there are often no separate IS staff) is on top of their game, this can be advantageous; but if the company still thinks IT is a nuisance as a whole, the result can be totally detrimental.
Having paid the price of establishing their culture through a year-long process, larger companies tend to have the advantage of a more stable culture, which is less dependent on the individuals carrying it; however, even large companies can have an incomplete, or totally absent, view on information security risks, which will then aggravate risk effects.
Again, size does not matter at all, as the culture required to avoid and treat breaches either is, or is not, there. It does not really matter where it came from, but only if it is actually there.
Information security staff
This is the one case in which big companies clearly win. Smaller companies tend not to have IS teams. If you are lucky, you will find a dedicated IT manager for whom, in very small companies (less than 100 people) this may even be an extra role. You will not usually find dedicated information security staff at small companies. Bigger companies generally set up entire teams of information security experts and, today, in a company with 2,000+ employees you can expect to find 3 to 15 people working exclusively on information security issues. One of these people is likely to have some background in investigation, which will prepare the company better for...
Table of contents
- Cover
- Title
- Copyright
- Foreword
- Preface
- About the Author
- Acknowledgements
- Contents
- Introduction
- Part 1 ā General
- Part 2 ā Case studies
- Part 3 ā A Sample Treatment Process
- Abbreviations and Acronyms
- ITG Resources