Frequently asked questions cybersecurity

In the event of a cyber-attack, third parties gain unauthorized access to computers and computer networks through weaknesses in software or hardware with the aim of sabotaging them or stealing, changing or destroying data. Cyber-​​attacks vary from installing spyware on a home PC to attempts to attack a country’s vital systems. Depending on the motives of the perpetrators, cyber-attacks may be intended for financial gain or corporate espionage, but may also be part of a cyber war or cyber terrorism. It can even be simply a form of digital vandalism.

Cyber​​security is the protection of IT systems (computers, data, servers, networks, mobile devices, etc.) against theft and damage to hardware, software and data and to prevent disruptions to business continuity. Cyber​​security is becoming increasingly important due to the growing dependence on computer systems, web applications, wireless networks such as bluetooth and wifi and the ‘internet of things’, in which the most diverse equipment is connected to the web. According to many, cybersecurity is one of the greatest challenges of our digital age, due to the technical and political complexity of the playing field.

From an insurance perspective, cyber risk is financial damage caused by intangible damage to IT systems, not by fire or a leak, for example. The financial damage after a cyber-attack is caused, among other things, by loss or damage of data, (un)availability of systems, business damage, extortion and fines. Insurance companies distinguish three groups of cyber risks:

• Computer virus, DDos attack or a hack: The purpose of this is to burden a website in such a way that it becomes unreachable. This has already happened at several government websites and the websites of a number of banks;
• Human errors: Employees of an organization can (intentionally or accidentally) cause damage to a computer system or to data;
• Technical failure of IT systems: Financial damage can also be caused by technical problems of own or external computers, servers, hardware and software.

Every year Dutch counterterrorism authorities and the National Cyber ​​Security Center (NCSC) publish the Netherlands Cyber ​​Security Assessment. According to the 2018 edition, there are six core problems that influence each other and together form the basis of the cyber threats that we face..

1. Cyber-​​attacks are often profitable, approachable and low risk for perpetrators;
2. Assault means (infrastructure, tools and technology) are made available for payment by service providers;
3. Unsafe products and services (producers have few economic and legal motives to produce safe hardware and software);
4. Conflicts of interest lead to concessions: cyber security measures cost time and money, two scarce resources that can also be used alternatively;
5. Growing complexity and connectivity creates an increasingly complex IT landscape, which is at the expense of overview and therefore resilience;
6. We are highly dependent on a limited number of (foreign) suppliers. They have a great deal of knowledge and resources, but are subject to foreign legislation and can be forced by local authorities to cooperate in, for example, intelligence operations.

Although cybersecurity is a hot topic in society and is a high priority for many organizations, data breaches and other cybersecurity incidents still occur regularly. In retrospect it often appears that those incidents were caused by known problems and could have been prevented if, for example, a security update was installed on time. When it comes to cybersecurity, it is tempting to lose yourself in high-tech solutions and grand strategies. However, if the most fundamental security measures are not in order, you will be fighting the inevitable. A thorough approach to cybersecurity and information security starts with the basics, with creating awareness about this theme and with implementing an organization-wide policy and taking appropriate measures. Certification against an international standard such as ISO 27001 or - especially for the Dutch healthcare sector - NEN 7510 is the perfect starting point for this.

The ISO 27001, also known as NEN-ISO / IEC 27001, is an internationally recognized standard for datasecurity. Organizations can use the guidelines and requirements from this information security standard to regulate processes. The ISO 27001 helps organizations to structurally address the confidentiality and availability of their information management. ISO 27001 certification is of added value to a wide range of organizations, from commercial companies and government agencies to non-profit organizations and security companies.

Information security and cybersecurity are a top priority to many organizations. That is why ISO 27001 certification is of added value to every organization that has to deal with processes involving financial risks and risks concerning ​​privacy-sensitive information. The ISO 27001 certificate is increasingly considered as a must in tendering processes. Also, for employees it is important to know that the organization they work for handles confidential information properly.

An Information Security Management System (ISMS) is a set of policy rules and procedures for systematically managing the confidential and valuable data of an organization. The ISMS enables this with a blueprint for a cycle of continuous improvement (Plan-Do-Check-Act). The ISMS contains an organization’s information security risks and associated measures plus methods to test and adjust them. An ISMS aims to minimize risks and to safeguard business continuity by proactively limiting the impact that an IT security breach can have. In addition to data and technology, an ISMS is also about the behavior and work processes of employees. The ISO 27001 standard contains specifications for making an ISMS. The standard does not define specific actions, but makes suggestions for documentation, internal audits, continuous improvement and corrective and preventive measures.

The ISO 27001 is about protecting information as a business asset. A risk analysis determines what sources of information this includes. During a risk analyses, not only the information itself is regarded, but also the underlying storage facilities and systems used for distributing the information. The information protection processes may also fall under the ISMS, depending on the scope of the information to be protected.

A test audit is the best way to determine to what extent an organization meets the standard. The advantage of a test audit is that it can be tailor-made for an organization. For example, it is possible to zoom in on specific elements or organizational parts or test the various standard elements individually.

Kiwa previously published the whitepaper ‘What are the steps to become ISO 27001 certified’ (pdf), dealing with the implementation of a structural approach to information security and cybersecurity.

In an ISO 27001 audit, based on the information provided in advance, it is checked if the organization meets the ISO 27001 certification requirements. If shortcomings are found, the organization is given the opportunity to improve the processes where necessary. External expertise is often used for this. If the result of the examination is positive, certification will follow. This must be done by an accredited certification body.

The ISO 27001 certificate is valid for 3 years. After certification annual audit audits take place.

The costs involved with ISO 27001 certification depend on, among other things, the scope and size of the organization. For a price indication or quotation you can contact Kiwa’s Expert Center Information Security without obligation via informationsecurity@kiwa.com or +31 (0) 88 998 3020.