It is a serious threat especially for smaller businesses
Around the globe, data breaches, system hacks or extortionist ransomware attacks are reported almost on a daily basis, with the most recent example being the cybercriminal activities of the REvil” extortion group. In general, attackers do not only target international corporations or big businesses. The fact is that many hackers earn a living by targeting small and medium-sized enterprises (SMEs) as well.
Cyberattacks compromise the confidentiality, integrity and/or availability of corporate data, information systems and networks. This so-called CIA triad of data security – confidentiality, integrity, availability – is undermined by these attacks. The potential damage ranges from financial losses to reputational damage and regulatory penalties to business interruption and bankruptcy. This makes it all the more important that small and medium-sized enterprises and subsidiaries also have appropriate budgets, security tools and human resources in place to counter the ever-increasing threats posed by cyberattacks.
Systematic risk management is required
Every organization depends on the reliable functioning of its critical infrastructure. However, the increasing complexity and connectivity of infrastructure systems expands attack surfaces and makes it easier for cybercriminals to exploit information security vulnerabilities. It is therefore increasingly important for businesses to pursue a systematic approach to identifying, assessing and prioritizing cyber risks. On this basis, control mechanisms can be identified and implemented to bring down the level of risk to an acceptable range.
In a subsidiary, these controls can be implemented via policies of the Group or parent organization. Another option for SMEs is to adopt customized controls based on best practices. The TÜV Rheinland whitepaper “Information Security Baseline: SME/Subsidiary” provides an insight into the advisory and mandatory information security controls. Interested companies will learn what measures SMEs and subsidiaries can implement to ultimately ensure the confidentiality, integrity and availability (CIA) of their critical system resources.
Advisory and mandatory cybersecurity controls
The proposed baseline controls apply to all employees of a company, contractors, subcontractors and their respective facilities supporting the Group organization’s business operations. They are relevant wherever Group data is stored or processed and also concern third parties who have been contracted by the Group organization or its subsidiary to handle, process, transfer, store or dispose of Group data.
- Mandatory controls establish an information security baseline for the entire community and must be implemented by all subsidiaries in their local, remote and/or cloud infrastructure. To set a realistic goal for a tangible short-term gain in security, we prioritized 15 mandatory management, technical and operational controls.
SENIOR INFORMATION SECURITY SPECIALIST
Anand Rabindranath is a Senior Information Security Specialist at TÜV Rheinland in Muscat, Oman. He has more than ten years of professional experience in IT security, audit, risk and compliance management. Among other things, he supports global companies in implementing information security management systems and training internal users on computer security topics. As a result, they are better able to prevent IT security breaches and respond to cyber attacks.
Field testing a hydrogen car for a day
Industrial Applications and Safety