Governance

How can an ISMS help your SMB?

When you mention ISO executives start to see dollar signs and resource allocation not business benefit for the future. For SMBs, who might be struggling especially with challenges of operating under COVID how do you attempt to take on such a big endeavour?

First of all, if your an SMB you don’t have to start off with a full ISMS implementation day one. Start with the basics such as completing a company Threat and Risk Assessment (TRA) and Privacy Impact Assessment(PIA). The outputs from these will help map where your “assets at risk are” and where you need to put your resources and efforts early on. With this completed, you can then start to plan your strategy to a full ISO 27001 implementation over a period of several years as the company grows and develops.

By doing this early in a companies development you will be able to get better control over your business operations. If your a technology firm you can use the ISMS to differentiate against competitors as the first question many customers will ask is “what do you do for security and privacy?”. By starting the foundation of an ISMS it will show your commitment to security and risk management for the business.

Depending on the sector your in, many now require complex RFP’s that are security focused and you have to provide assurances that your company is able to operate at a secure state. Your ISMS implementation will aid greatly in meeting this requirement. It will help to complete your RFPs faster and better rate of success against your competitors who choose not to go this route.

Impact of a data breach

With the cost breaches going up and updated regulatory requirements mandating reporting and fines the damage to your company reputation is ever increasing. By implementing an ISMS you can show that you have put in the necessary controls to minimize the impact of a data breach but also have the means to quickly triage, contain, and mitigate the risks. Organization without this approach struggle during a data breach and over 60% of breached companies go out of business within 2 years as they fail to regain customer trust.

By securing your data a company reduces the potential for exposure and for litigation.

Compliance

By the simply process of documenting what actions need to be taken, when and by whom, employees are better able to understand what they can and can’t do for situations. This includes the many regulation, laws, and contractual obligations for security and privacy. With the implementation of an ISMS you can quickly scale and grow a company and still meet or exceed market requirements for security.

Attracting Investment

Many small tech companies will be looking to grow the company with external investments. With may startup companies looking for capital having a means to differentiate yourself will be key. Not only are investors looking for market potential, the financials, and legal but also how secure is the product/solution and the organization. Having an ISMS will show managements dedication to a secure business and developing secure solutions for the market.

Targeting ISO 27001 accreditation

For the typical organization, implementing a ISO 27001 can take up to 24 months depending on the size and complexity of the business. For startups, putting the framework for an ISMS will greatly reduce the impact and cost of move towards certification. Especially, if this is required for contract awarding. With a base ISMS implemented an organization can complete this certification aspect in about 6 months and with the reward of meeting your contractually obligations will make it worth the effort and revenue growth.

With the dramatic growth of IoT globally in all sectors, medical was not going to be bypassed but instead there was going to be significant growth in new products/services for medical.

With some of these new solutions come more capabilities and freedoms for patients who can now still be fully monitored without patient care. With an aging population and global pandemic, the timing cannot be better for the uptake of these technologies.

Now the part that makes everyone uncomfortable is how to protect the privacy of the patient and ensure that there is no inherit cyber risks of using the product. i.e. can it be weaponized.

Over the past couple of years, we have been working with many health products companies globally to help with securing these solutions. This includes a 3-years research project on IoT for Medical Devices. This has led to a methodology that allows us to formally assess a solution. Now this is not just what some would call penetration testing but a lot more than that. We create a testing environment that includes power supplies, SDRs, packet generators for various protocols, wireless sniffers and countless other tools. We also have a playbook that is used to test all classes of products.

Based on this, if you are looking to test and evaluate health devices here is some guidance, we would like to share with you.

  1. Determine the market you looking to sell the product into, this will determine the minimum testing and evaluation that will have to be provided. In Canada that would be Health Canada and in the US that is the FDA. Both have very specific requirements for products under this classification so make sure you understand the documentation you will require.
  2. Determine the standards to be used for evaluation, this may include one or more of the following:
    • UL2900-1-1 or UL2900-2-1
    • CSA T200
    • ISO 14971
    • IEC 80001-1
  3. These standards will determine the test cases on how each aspect is to be assessed and verified. Keep in mind, these tests and tools must be repeatable, and all outputs of testing need to be collected for validation and auditing. When creating each test case ensure you are using a scientific methodology approach. You will have to provide to reviewers how and why of each test case. You can even take screen recordings and captures to record impacts to devices under test.
  4. Some of these testings will not be easy, especially if you do not know aspects of system design, hardware testing, and tools such as logic analysers. It will also take longer than you anticipated as well. Plan your project scope accordingly.
  5. Packet capture everything and spend enough time to analyze these. Many times, we found some intel on the devices by them being “chatty” on the wire. This includes sending nuggets of information in headers and data fields unencrypted which can be used against a device. You have got to love metadata!

As you work towards medical certification keep in mind you can do these tasks both in-house and using a 3rd party. If you are using a 3rd party, make sure they are accredited. Using a consultant for pen testing might save you some money but will not potentially pass a regulatory review.

TwelveDot currently provides a complete solution which includes testing hardware, firmware, network communication, mobile and web application and the cloud platform that exceeds current FDA and UL2900 requirements for testing and evaluation. We are working with global medical equipment companies to evaluate and secure their solutions. Please contact us to learn more.

 

We recently held our 2nd in the series of the CIO Africa MasterClass series to continue our conversation on helping CIOs to share strategies for dealing the COVID-19 shutdown and WFH.

Our keynote was from Dr. Coker of Rack Center Limited who offered the following guidance:

  1. You need a Business Continuity Plan – This is regardless of the size of your business
  2. You need a Disaster Recovery Plan – To ensure you restore critical business functions as quickly as possible
  3. Resilience – A business needs to have a capability to deal with uncertainty, without this situations such as the COVID-19 shutdown will have dramatic impacts your business.

These topic points served as the basis for our discussion and questions, let’s look at some of these topics in depth.

Carole Karema (Equity Bank, Rwanda) built on these topics with examples of how the Rwandan banking system ensured that they were not only able to offer basic services but expanded online services and features for clients and businesses. For businesses impacted by a local and global slowing economy, having a lifeline to help with cash flow and load repayment provides several options to business owners and executives.

Nixon Mageka (Policy Expert, Kenya) also talked about the important of health services and education during these times and how to keep the fabric our family’s health supported for non COVID related illnesses. We have all had to learn to working remotely and that mean having your little ones interrupt meetings to show you something or just needed the attention they deserve. They have no idea why your sitting on the phone all day when they need their stuffy’s that just out of reach on shelf. The are confused why you’re always home and why they can’t go the park or to play with their friends any more. The stress on all everyone is going to have impacts to us all long term. That includes the social isolation that we are all feeling. Our society impacts will be long and somethings will change for ever.

I quickly noted that work from home also really illustrated an issue we are facing in Canada that those with Internet and those from lower income families who don’t have device and possibly internet are being impacted. Those kids are not really accounted for during these outages. Many school boards in Canada scrambled to find both technology and internet to provide these services to those less fortunate.
From a security perspective we need to keep our security hygiene in place as well. This includes; not installing pirated software, having an up to date anti-malware application, not clicking on all emails that might sound urgent, and making sure we have backups of your devices and critical data. While some home users are using private property they devices may still be used to attack the other digital assets of the company. Make sure you know who to contact at your company if you believe you have experiences a cyber issue.

In closing, we had another successful session with some of Africa’s though leaders on technology and business. They shared some key points with attendees on current topics of operating you business under COVID. In the future, we will be expanding our faculty members and courses being offered keep an eye out for these announcements.

I will be providing the link to the session video once available.