Information Security: ISO 27001 and the Human Factor in Cyber Security
Jessica Doering

April 21, 2024



 min reading time

The Human Factor: Risks to Cybersecurity

In this digital era, cybersecurity is hella crucial. No one is safe from cyberattacks, no matter the size or type of organization. The fallout from these attacks can be major - think data breaches, financial losses, and serious damage to your rep. Most organizations go all out with technical controls to defend against cyber threats, but they forget about the human side of things. Slip-ups made by people can cause some serious harm and leave your organization exposed. 

So, in this blog, we're gonna dive into five human errors in cybersecurity that could totally put your organization in danger...

The Human Factor in IT Security

1. Weak Passwords

Weak passwords are one of the most common human errors in cybersecurity. Employees often choose weak passwords that are easy to remember, such as "123456" or "password." Weak passwords are easy for cybercriminals to guess or crack, leaving your organization's systems and data vulnerable to attack. To mitigate this risk, organizations should implement password policies that require employees to use strong passwords that are difficult to guess.

So what are strong passwords?

Strong passwords are passwords that are difficult for someone else to guess or crack using automated methods. They typically contain a combination of upper and lower case letters, numbers, and special characters, and are at least 12-14 characters long. A strong password should not include easily guessable information like your name, birthdate, or common words. It's also important not to reuse passwords across multiple accounts, as this makes all of your accounts vulnerable if one password is compromised.

In addition to using strong passwords, it's also important to enable two-factor authentication whenever possible to provide an extra layer of security to your accounts.

2. Social Engineering

Social Engineering is like the art of manipulation on steroids. It's all about using psychological tricks to trick people into revealing sensitive information or performing actions that they wouldn't normally do. These scammers and hackers are slick, and they know how to exploit human weaknesses like trust, fear, and greed to get what they want. Whether it's posing as a trusted authority figure, using fake websites or emails, or just plain old smooth talking, social engineering is a dangerous game that can leave you and your organization seriously screwed if you're not careful.

To prevent social engineering attacks, companies should train their employees on how to recognize and avoid them.

3. Lack of Security Awareness

Another major screw-up in cybersecurity is a total lack of security awareness. Too many employees are clueless about the importance of cybersecurity and how their actions can majorly screw up your organization's systems and data. If you wanna avoid disaster, it's crucial to give your employees regular security awareness training. They need to learn how to spot phishing scams, how to dodge social engineering tricks, and how to handle passwords like a pro. Even a little training can go a long way in keeping your organization safe from cyber threats.

4. Neglecting Software Updates

Yo, another major blunder in cybersecurity is straight up neglecting software updates. Too many employees are lazy and ignore those update notifications, leaving their devices and systems wide open for cyberattacks. These hackers love to exploit weaknesses in outdated software to sneak into your organization's systems and steal all your juicy data. That's why it's crucial to have a policy in place that forces your employees to stay on top of software updates. No excuses, no slacking off - your organization's security depends on it.

Fortunately, ISO 27001 does have a policy requirement for software updates. Specifically, it falls under the Asset Management section (A.8.1.1), which requires organizations to create and maintain an inventory of assets to be protected. Software updates are an important aspect of asset management because they help ensure that software vulnerabilities are patched and that the software continues to function properly.

ISO 27001 also still includes a specific set of controls for software updates (A.12.6.1), which requires organizations to "manage technical vulnerabilities" by installing relevant patches and updates in a timely manner. This control also includes requirements for monitoring and verifying the effectiveness of the software update process.

5. Shadow IT

Listen up, because this is important: Shadow IT is like the wild west of cybersecurity. It's when employees go rogue and start using unauthorized software or devices for work purposes, like their own personal laptops or sketchy cloud services. This kind of sneaky behavior can leave your organization totally screwed, since these devices and services are probably not up to snuff when it comes to security. To stop this madness, you need to lay down the law with strict policies that prohibit any and all unauthorized devices and software. And that's not all - you also need to make sure your employees are well-trained in cybersecurity best practices, from strong passwords to how to spot social engineering scams. Remember, it's on all of us to keep our organization safe, so let's get to work!

How does ISO 27001 help with security threats?

ISO 27001 does address the issue of Shadow IT under its "Asset Management" section (A.8.1.1) which requires organizations to establish and maintain an inventory of assets that need to be protected. 

Shadow IT is considered an unmanaged asset and can pose a significant risk to the organization's information security.

To mitigate this risk, ISO 27001 recommends that organizations implement policies and procedures to prevent the use of unauthorized devices and software. Specifically, control A.8.1.2 requires that organizations implement procedures for the "handling of assets," including the identification, labeling, and protection of all assets, both physical and non-physical.

ISO 27001 also includes a specific control related to cloud services (A.15.1.1) which requires organizations to "implement policies, procedures, and controls" to ensure the secure use of cloud services. This control also includes requirements for monitoring and reviewing the use of cloud services to ensure they are being used in a secure and authorized manner.

In summary: The human factor is like a ticking time bomb in cybersecurity. Employees are often clueless about the importance of cybersecurity, and they make dumb mistakes like using weak passwords or falling for scams. Even when they know better, they can still mess up and click on that shady link or forget to update their software. And let's not forget about those sneaky insiders who have it out for their organization. Plus, you've got the issue of shadow IT - employees using unauthorized devices and software that create a hot mess of security vulnerabilities. 

So yeah, the human factor is a wild card that can't be ignored. It's not just about fancy firewalls and antivirus software - you need to train your people, set clear policies, and make security part of your culture if you want to avoid a catastrophic breach.

ISO 27001 offers comprehensive protection for your company and, of course, for the well-being of your employees. Because loyal employees want to do anything but harm the company or themselves! 

Book a consultation with us so that you can learn all the benefits, which go very far beyond the topic in this blog, of an ISO 27001 certification!

Focus on building Security with Compliance in the background

Secfix has the largest EU auditors network and minimizes time, effort and cost through its platform.

non-binding and free of charge

Jessica Doering

Jess is the marketing mind at Secfix. She loves every dog on this planet!

ISO 27001

ISO 27001
ISO 27001