Welcome to the second edition of The ISO27000 Newsletter, designed to keep you abreast of news and developments with respect to 17799 and related information security issues. The newsletter comprises a combination of inclusive articles and the identification of useful and topical sources on the web.
This edition covers:
MAJORITY OF CYBER CRIMES NOT REPORTED
A survey of the leading companies in 12 countries, undertaken by accounting firm KPMG, concluded that almost 10% had experienced a cyber-security breach during the past twelve months, but that the majority of these companies did not take any legal action against the offenders. A representative of KPMG was quoted as saying: "What we see in the cases that are reported to us is that companies are far more concerned in recovery of assets and keeping their names out of the newspapers than they would be about prosecutions. If they report their losses to regulators or law enforcers, then the focus of any investigation generally becomes the prosecution of offenders." He also added: "The majority of frauds are committed by people inside the company. If someone has broad knowledge, they are more capable of bypassing any procedures they might have." (From an article published on www.zdnetasia.com)
An Information Security incident must be reported to outside authorities whenever this is a requirement for compliance with legal requirements or regulations. By not reporting such an incident where it is legally required that you do so, your organization may be unwittingly aiding or abetting an offence. If you believe a crime has been committed, the following actions are strongly recommended:
- Contact the relevant regulatory body and / or law enforcement agency, as appropriate
- Gather evidence to prove malicious intent, especially if the suspects are members of staff; but consider carefully the validity of such evidence before reporting it to a third party
- You may wish to take legal advice about the severity of the offence
- Consider how best to support the investigative process with the minimum breach to your Information Security. You may wish to use a specialist Information Security organization if you lack in-house expertise.