Protection against cybercrime

En example of organized cybercrime, the term "fake president attack" or CEO fraud is not only circulating among insiders. Authorized employees or even CEOs are contacted as usual - via e-mail or fax - by persons posing as leading managers of their own company. The sender asks the employee or colleague to carry out an allegedly urgent and confidential financial transaction to a foreign account.

Once the employees have transferred the money, there is no official confirmation. On the contrary, the skimmed amount is quickly divided into smaller amounts and transferred to non-transparent accounts. In Switzerland, according to a report in the Handelszeitung, the companies affected lost up to five-figure sums of francs per case.

Two German companies were recently ripped off for as much as 40 to 50 million euros. After the announcement of the loss, the share prices of the attacked companies immediately dropped. According to their website information, the affected German companies were not yet certified according to the ISO/IEC 2700x series of standards at the time of the losses

Safety through standards

Certification reinforces targeted controls in order to avoid damage - which can be caused by fictitious e-mails, for example. Europe-wide standards now also protect companies against fraudulent methods. Until now, the ISO/IEC 2700x series of standards was only available in English. At the beginning of 2014, the German Institute for Standardization (DIN), the Austrian Standards Institute (ASI) and the Swiss Standards Association (SNV) set up a joint translation group with the aim of producing uniform translations of selected ISO and ISO/IEC standards for the entire German-speaking area.

After more than a year of intensive work, a German translation of the ISO/IEC 27001:2013 standard is now available and was adopted into the Swiss body of standards in May 2015: SN ISO/IEC 27001:2015 (see box at the end of the text).

Organize and control

The ISO/IEC 27000 x series of standards forms a guide for business managers. On this basis, the responsible persons can develop a concept and guidelines for the company together with the IT specialists. This requires a holistic approach for all areas. It is important to take into account the current state of the art and, if necessary, to plan and implement adjustments. This requires a risk and vulnerability analysis, in any case when introducing ISO/IEC 27001 and other standards.

First of all, the ISMS concept, i.e. the objectives, processes and procedures required for risk management, is defined during certification.

In order to achieve the defined goals, it may be necessary to change the organization of the relevant processes in the company. The documentation of the measures and procedures of the digital processes is naturally part of the security and information management. Ongoing monitoring of whether this is working is the task of the so-called "security policy" according to the standard ISO/IEC 27003 "Information technology - IT security procedures - Information security management system implementation guideline".

At the same time, it should not play "Big Brother", but stringently monitor whether the set security objectives have been achieved, whether there are still weak points and where improvements are possible and necessary.

New EU Directive

For companies doing business abroad, international law must be taken into account. In the EU, Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to ensure a high common level of security of network and information systems in the Union (NIS Directive) has recently come into force. This contains EU-wide regulations for cybersecurity that are built into national laws

The role of the Swiss Standards Association (SNV)

The Swiss Association for Standardization (SNV) represents the global standards of ISO as well as the European standards (CEN) in Switzerland and is involved in numerous national and international standards networks. In recent years, the SNV Standards Committee INB/NK 149/UK 7 has made important contributions to the structure and content of ISO/IEC 27001:2013 and ISO/IEC 27002:2013. SNV also participates with commitment in the new edition of ISO/ IEC 27003, ISO/IEC 27004 and ISO/IEC 27005.

At SNV, companies or associations can become individual or collective members, depending on their size and activity. More than 600 Swiss companies and institutions already enjoy the benefits of SNV membership. By participating in a standards committee, they benefit at an early stage from knowledge about future standards. In this way, they set the course for their company in the role of "early mover".

SNV offers exciting continuing education courses and, thanks to its direct links with the International Organization for Standardization (ISO) and the European Committee for Standardization (CEN), has the best sources for informing customers not only about hazards but also about the latest standards and their practical implementation.