There can be little doubt that securing and protecting information is an essential requirement for organisations, irrespective of their market sector or size. The challenge for many organisations, however, is implementing and maintaining a level of information security that is appropriate to them. This can be achieved by adopting an approach to information security management that is based on continuous improvement and regular review – a management system. It is important to note that no two information security management systems (ISMS’) will be the same, due to organisational differences in the actual and perceived values of information, business goals, risk appetites, demands by customers/regulators etc.
Your ISMS should be tailored to and reflect your organisation, how you work, the terminology you use and be part of business as usual. We, at URM, are cognisant of these requirements and are dedicated to assisting you identify, achieve and maintain your desired levels of information security.
How do we achieve this?
A growing cyber risk for all organisations is phishing where fraudsters attempt to access valuable information such as usernames, passwords and account information by masquerading as a reputable entity or person in an email or another communication medium. Phishing can also involve sending malicious attachments or website links in order to infect computers or mobile devices.
In order to combat the threat of phishing, organisations need to adopt technical solutions backed up by comprehensive staff awareness campaigns designed to increase the likelihood of users spotting a phishing attempt and raising a security incident to enable the organisation to respond accordingly.
In order to assist organisations assess its users’ awareness and vigilance to phishing attempts and processing of incoming third party emails, URM has developed an effective methodology aimed at determining and measuring an organisation’s level of exposure.
Working closely with sponsors from the client organisation, we develop micro websites and a campaign of orchestrated emails aimed at inducing users to open the email, click on a link and provide sensitive information e.g. passwords. This involves creating initial emails and micro websites that look like the intended email/website and then responding and evolving the campaign as users begin to interact with the emails. Naturally, the potential impact to the organisation of clicking on unknown links and providing confidential information could be extremely damaging.
At the end of the exercise, through the use of its tracking software, we are able to report back on the number of users who potentially exposed the organisation to the risk of a data breach or to malicious software. Once completed, the results of the exercise can then form a very powerful component of any staff awareness programme. By referring to the actions of personnel from the actual organisation, cyber risk is no longer an abstract term but something users can practically relate to.