international standards protect against ransomware attacks

The Grand Palais, which is hosting Olympic events in Paris, and around 40 other museums in France were been victims of a ransomware attack. (Photo:y Eric Pouhier - Own work, CC BY-SA 4.0).
<_o3a_p>

France's national museum network has fallen victim to a cyber-attack, with criminals encrypting sensitive financial data and demanding a ransom to prevent its release. The Grand Palais, a venue for the Olympic Games in Paris, is one of around 40 museums affected.<_o3a_p>

While it is unclear how much exactly the cyber-criminals are demanding, the ransom is unlikely to be cheap. According to the Embroker Cyber Index Report, ransomware attacks are becoming both more expensive and more frequent. The report says that in just one year the average ransom fee has shot up by more than 500% from $400 000 to $2 million. Skyrocket. That is without factoring in lost income while criminals hold IT systems to ransom. Embroker estimates that in 2023 the average length of system downtime after a ransomware attack was equivalent to 17 business days.<_o3a_p>

In response to this growing threat, many organizations are implementing robust information security management systems to help prevent or mitigate the impact of these attacks. The most trusted framework for IT systems is ISO/IEC 27001, a globally recognized standard for information security management.<_o3a_p>

Implementing ISO/IEC 27001 provides a systematic approach to information security management. It helps organizations to establish a culture of security and minimize the risk of ransomware attacks.<_o3a_p>

ISO/IEC 27001 includes a framework of policies, procedures, and controls for managing risks to the confidentiality, integrity, and availability of information. It provides a comprehensive set of controls that can be tailored to the specific needs of an organization and includes a risk management approach that can help organizations identify and prioritize their information security risks.<_o3a_p>

ISO/IEC 27001 includes both technical and non-technical controls. Technical controls, such as firewalls, intrusion detection systems, and access controls, help to prevent unauthorized access to networks and data.<_o3a_p>

According to a report by Informed Sauce, more than 90% of breaches are due to poor patch management. Because it is a critical component of a comprehensive security strategy ISO/IEC 27001 requires organizations to establish a robust patch management process to ensure that vulnerabilities associated with missing patches are identified and addressed in a timely manner. <_o3a_p>

But a comprehensive security approach involves not only implementing the right technology and processes but also ensuring that people understand their roles and responsibilities in preventing cyber security incidents. Indeed, employees are often the weakest link in cyber security.<_o3a_p>

According to a report by Barracuda, nearly 70% of organizations surveyed revealed that their ransomware attack started with a phishing email -- a fraudulent message designed to trick recipients into revealing sensitive information or installing malware. <_o3a_p>

ISO/IEC 27001 requires organizations to establish information security policies and procedures, including those related to raising the awareness of employees. This could, for example, include training on how to recognize and avoid phishing emails and other social engineering tactics.<_o3a_p>

ISO/IEC 27001 also advises organizations to review and improve their ISMS regularly to adjust their defences against continuously evolving cyber threats, including ransomware attacks. IECQ conformity assessment can provide added assurance.<_o3a_p>

ISO/IEC 27001 is now part of an approved process scheme that provides for the independent assessment and issuing of an international IECQ certificate of compliance.<_o3a_p>

IECQ ISMS facility assessments under the IECQ AP scheme ensure a focus on the key technical and administrative elements that provide confidence that all the requirements of ISO/IEC 27001 have been met.