Tags: fraud iso27001 management system

Social Sharing:

Every little helps Fraudsters, not you or Tesco.

Information Security / Monday 7th of November 2016

The loss of money and inconvenience to those 000s affected in the attack on Tesco’s online bank accounts over the weekend, is deeply disturbing. People are already telling their stories of lack of funds to pay bills, buy petrol or food. We all appreciate what impact such things would have on any of us in this cashless society.

There are five key actions to take as individuals to try and keep safe from Fraudsters,

  1. Never disclose security details such as your PIN or full banking password
  2. Don’t assume an email or phone call is authentic
  3. Don’t be rushed or pressured into making a decision
  4. Listen to your instincts
  5. Stay in control

If you do think you’re the victim of fraud on your cards or bank account, contact your bank or other financial institution immediately and then Action Fraud 0300 123 2040 or action.police.uk

Away from the clearly disturbing and disruptive personal impacts, the most worrying aspect of the weekend’s Cyber Attack on Tesco is that it appears to be automated, ie computer to computer.

As such it was an attack to the very heart of the Tesco System, not just from people “phishing” or from malicious software or viruses. The victims here have not been scammed, the bank has been attacked. Possibly, through flaws in the banks software security systems, or just a plain old “inside job”.

Having thought about the personal impact, have you considered what information and business data is held in your business, on your customers, suppliers and employees. ow do you protect this data from loss, misuse or theft.

A Standard on Information Security like ISO27001 might help you put in place, or manage systems and processes to minimise the risk to your organisational information and data.

You may have an Information Security Policy in place already. Hopefully, your organisation takes it seriously and everyone complies with it. No, “oh I use so and so’s password because I’m locked out” attitudes.

It is important that senior management buy into the need for an Information Security Management System (ISMS) and it covers all areas of the business with information and data and there is cooperation on security between departments.

The scope of an ISMS should be defined, so that those areas to be managed and controlled are identified. The Standard requires you conduct a risk assessment and that you then set objectives to control or manage those identified risks. A sensible strategy, regardless of a formal standard.

Like other ISO Standards, it sets requirements for documentation, internal audits, corrective and preventive action and continual improvement. And a Statement of Applicability.

As can be seen with the example of Tesco and multiple others in recent years, every individual and commercial business is a target for fraudsters. As our reliance on electronic and remote systems, and technology (particularly mobile technology) increases, the fraudsters will follow.

But a few simple techniques or working to a defined set of principles and actions, might just keep them at bay.