Source: IEC Blog (https://www.iec.ch/blog/)
Employees pose the single biggest cyber security threat to their organizations. According to a recent survey from the Ponemon Institute, the cost of so-called insider threats has increased by 31%, from $8.76 million in 2018 to $11.45 million in 2020.
The report identifies lack of training as a major contributor to security breaches. It claims that training could, for example, ensure that employees acquire a better understanding of regulatory requirements related to their work.
Training could help employees to ensure that the devices they use are always secured. Other bad workplace practices identified in the report include sending confidential documents to unsecured cloud locations and breaking security policies in order to simplify tasks.
The COVID-19 pandemic has exacerbated the situation with the increase in remote working. Many home networks lack security measures such as antivirus software, customized firewall and online backup tools.
This increases the risk of negligent personnel unwittingly helping malware to infect devices and gain access to corporate networks. A new edition of a well-known international standard addresses many of these challenges.
ISO/IEC 27014, Information security, cybersecurity and privacy protection – Governance of information security
ISO/IEC 27014 outlines an efficient governance model designed to ensure that practices and procedures are properly maintained. It features new information and has been updated to improve both clarity and structure.
The 2020 edition, which has been more closely aligned to ISO/IEC 27001, defines cyber security governance as the “means by which an organization’s governing body provides overall direction and control of activities that affect the security of an organization’s information.”
ISO/IEC 27014 recommends training and awareness programmes to establish a positive information security culture. It also suggests roles and responsibilities for executive management and boards of directors in all types and sizes of organizations.
The objectives of the standard are to “align security programme and business objectives and strategies, deliver value to stakeholders and the board, and ensure information risks are adequately managed”.
The standard defines six overarching governance principles, which are defined as “accepted rules for governance action or conduct that act as a guide for the implementation of governance”:
1. establish organization-wide information security
2. make decisions using a risk-based approach
3. set the direction of investment decisions
4. ensure conformance with internal and external requirements
5. foster a security-positive culture
6. ensure the security performance meets current and future requirements
Many IEC International Standards and all the IEC Conformity Assessment Systems contribute to the United Nations Sustainable Development Goal 16, which promotes peaceful and inclusive societies. The cyber security standards in the contribute by protecting key data and systems, while others, such as help make critical infrastructure more resilient.
International Electrotechnical Commission
IEC Central Office
3, rue de Varembé, 1st floor
P.O. Box 131
CH - 1211 Geneva 20 - Switzerland
Phone: +41 22 919 02 11
Fax : +41 22 919 03 00
Contact BPS – The Philippines’ member to IEC
Bureau of Philippine Standards (BPS)
Department of Trade and Industry
3F Trade and Industry Bldg., 361 Sen. Gil Puyat Ave.,
Makati City, Philippines