So what kind of shape are Austria’s companies in when it comes to information and data security? Do Austrian companies sufficiently protect their ideas and know-how against outside attack? “Corporate groups and major companies in Austria are aware of the importance of this in general, and take corresponding measures,” said Ingrid Schaumüller-Bichl, head of the IT Security working group of Österreichische Computer Gesellschaft OCG and professor at Hagenberg University of Applied Sciences on Thursday during a OCG press meeting in Vienna.
Only major companies are certified
“Major companies in the IT and telecommunications, energy, financial services and insurance sectors and in public administration are already ISO 27001 certified. But small and medium sized businesses still have some catching up to do – both in terms of building awareness for the issue and in terms of concrete implementation,” Schaumüller-Bichl said.
The ISO 27001 standard was originally released in 2005, and a new version will be officially published on October 19, 2013. Certified companies generally have an effective risk management system and can deal with IT security risks such as data theft and cybercrime better than other companies, or can even preclude these risks to a large extent. “You of course cannot capture this in numbers,” Schaumüller-Bichl said.
“It’s about customer trust”
“But Austria is not doing all that bad in international comparison. Companies were generally more skeptical in the past, but awareness is increasing, and certification is becoming more common,” the professor told futurezone. For Schaumüller-Bichl, ISO 27001 certification is “more than just a piece of paper.” The international standard specifies exactly what must be done in the event of a crisis. “You know the risks, assess them, and know what you need to do in the end.” The bottom line is the trust that a customer places in a company. Awareness has also risen in all industries after the NSA spying scandal.
But Austria has come catching up to do compared with Japan. There, the number of ISO 27001 certified companies is substantially higher, namely more than 4,000 compared with about 45 in Austria. IT expert Edward Humphrey has an explanation for this: “The Japanese have a different attitude. There, a company’s CEO is involved in the security audits. They take the issue very seriously. A CEO participates in an audit very, very rarely in Europe. In fact, it is very difficult to even get a meeting about security with a CEO in the first place.”
Mobile risks are often underestimated
According to Humphrey, companies are especially prone to underestimating the risks from mobile devices. “The ‘smartness’ that is integrated into mobile devices causes many problems. Problems that companies first have to learn to understand.” But there is great potential for fraud here.
An effective information security management system (ISMS) is needed to ensure information security in a company. ISO 27001 assesses the quality of such an ISMS as an internationally recognized standard. “A company that is proactive in ensuring the security of its information and data has a clear advantage on the market. A certified organization can prove to customers and the general public that is has implemented an effective information security policy,” stressed Schaumüller-Bichl.
Österreichische Computer Gesellschaft OCG began offering ISO 27001 certification in 2013.