In This Issue
- How Internal Auditing Strengthens ISO 27001 Security
- UK Cyber Security and Resilience Bill
- Navigating the Cybersecurity Landscape in a Geopolitical World
- Advice from a Middle-Aged Woman in Tech
- Retail Cyber Attacks Highlight Urgent Need for Robust Security Across All Sectors
- AI and Cybersecurity
- Cybersecurity Begins with Leadership, Not Technology
In our quarterly round of news from around the web get the lowdown on the information security must know items from the past few months and looking ahead at what’s on the horizon to keep on your radar.
1. How Internal Auditing Strengthens ISO 27001 Security
Andy Brophy, Inavate’s Founder with over 20 years of experience as an ISO 27001 and cyber security consultant, recently explored the true value of internal auditing beyond compliance in an article for Professional Security Magazine. In the article, he breaks down what an effective internal audit looks like, the benefits of a strong audit process, and best practices to maximise its impact.
Key takeaways include:
- Guide to ISO 27001 internal auditing and its role in compliance.
- The business and security advantages of a well-structured internal audit process.
- Best practices for conducting audits.
- How internal audits can help organisations stay ahead of evolving security risks.
2. UK Cyber Security and Resilience Bill
In April, we reported that the UK’s Cyber Security and Resilience Bill is set to bring certain Managed Service Providers (MSPs) under the same regulatory framework as digital service providers covered by the Network & Information Systems Regulations (NIS Regulations) 2018. That means higher expectations, mandatory incident reporting, and regulatory oversight from the Information Commissioner’s Office (ICO).
The new Bill applies to providers based on size, risk profile, and criticality of services. This includes datacentres, managed service providers (MSPs), and ‘critical suppliers’ that support essential functions or public facing infrastructure. Secondary legislation will define exactly who qualifies.
This is why ISO 27001:2022 makes sense. It’s about creating a culture and system of continuous risk management, security awareness, and accountability. It aligns closely with the NIS requirements MSPs will soon face.
Read more in our article ISO 27001:2022 – A practical route to compliance for MSPs.
3. Navigating the Cybersecurity Landscape in a Geopolitical World
In today’s increasingly interconnected world, cybersecurity is no longer just a technical issue, it’s a geopolitical one. For organisations operating across borders, the challenge of protecting data and maintaining compliance has become more complex than ever.
Rising cyber threats, fragmented regulatory landscapes, and growing state-sponsored attacks mean businesses must think not only about how they secure their systems, but where and with whom they do business.
Read more in our article here.
4. Advice from a Middle-Aged Woman in Tech
Starting her career in IT in the early 2000s, a journey marked by curiosity and resilience began for Miral Laurie, Inavate’s Information Security Consultant. Growing up in an era that straddled life before and after the internet, her Indian upbringing emphasised creative arts. However, her first brush with science and technology came from watching science fiction with her Dad. She was the quintessential “why” kid, always questioning how things worked, fixing broken gadgets, and unknowingly honing the problem-solving mindset that would define her career. From coding on a BBC Basic to spending hours on a Commodore 64, her path into tech was anything but conventional.
In her article, she delves into her unplanned journey into tech, breaking into the industry, the reality check of gender and career struggles, facing adversity and burnout, redefining success, and offers advice to her younger self and other women in tech. Her story is a testament to perseverance and passion, and she invites you to read on and be inspired by her experiences.
5. Retail Cyber Attacks Highlight Urgent Need for Robust Security Across All Sectors
In recent weeks, the retail sector has faced a wave of high-profile cyber attacks, underscoring the growing threat landscape. Marks & Spencer (M&S) has been significantly impacted by a ransomware attack attributed to the Scattered Spider hacking group, causing widespread disruptions to their payment systems and online orders.
Meanwhile, the Co-op experienced an attempted breach, which, although less severe, still highlights the persistent risks retailers face. Harrods also reported an attempted cyber attack, adding to the list of targeted UK retailers. These incidents serve as a stark reminder for IT leaders to bolster their cybersecurity measures and remain vigilant against increasingly sophisticated cyber threats. It’s not just the retail sector that needs to be vigilant; organisations across all industries, from financial services through to healthcare and technology, must prioritise robust cybersecurity strategies to protect against these evolving threats.
6. AI and Cybersecurity
Artificial intelligence is revolutionising how organisations tackle cybersecurity challenges, focusing on enhancing human capabilities rather than replacing them. Siva Sivasubramanian, former CISO at Optus, emphasises that AI aims to eliminate tedious tasks while expanding expert capabilities. He advocates a two-stage approach to AI implementation: first, AI handles process-driven analysis, such as document reviews and questionnaire evaluations, providing instantaneous feedback to vendors. The second stage involves expert decision-making based on broader contextual factors. Sivasubramanian stresses the importance of a transparent, traceable process to ensure decisions are based on repeatable methods. Looking ahead, he remains optimistic about AI’s potential in cybersecurity, describing its opportunities as phenomena.
7. Cybersecurity Begins with Leadership, Not Technology
Jane Frankland, a renowned cybersecurity influencer, advisor, and speaker, emphasises the critical role of leadership in cybersecurity. In her recent blog, she questions whether AI might be jeopardising cybersecurity, stating, “We’re rushing to plug in AI, but we’re ignoring the culture we’re plugging into”. Frankland argues that cybersecurity doesn’t start with technology; it starts with leadership. Leaders shape culture, which in turn drives behaviour. She highlights that organisations often invest heavily in governance, risk, and compliance (GRC) and risk management, while neglecting foundational elements like leadership and culture. The result? Fragile systems that fail to keep pace with attackers.
We wholeheartedly agree with Jane and consistently advocate for integrating ISO 27001 compliance into the culture of your business, along with the importance of employee training. However, as Jane points out, using AI in a company that hasn’t addressed its culture and human factors can lead to vulnerabilities. For more insights, read our blog on Winning the Cybersecurity Battle: How Employee Training Strengthens Your Information Security Management System and Jane Frankland’s article on What Maslow’s Hierarchy of Needs Reveals About Cybersecurity Flaws.
Stay Secure and Resilient!
For support with ISO certification, Cyber Security, or any topic discussed, please reach out to the team at Inavate Consulting.
The Inavate Consulting Team
Email: Info@inavate.co.uk.
Follow on LinkedIn Inavate Consulting Limited.
