Certification of companies reduces exposure to cyberattacks

Listen to the audio version of the article

Today in Italy there are just under 3,500 companies that can exhibit the Iso/Iec 27001 certification for information security, a very small number overall but still up by 21% compared to the twelve months. These “green passes” relating to data are issued by 20 accredited bodies, while there are five test laboratories responsible for carrying out “vulnerability assessments” activities and around 700 professionals currently certified as Personal Data Protection Officers.

Accredia, the single national accreditation body designated by the Italian government (active since 2002 with the task of certifying the competence of laboratories and bodies that verify the compliance of products, services and professionals with the reference standards), which has made public an Observatory created together with the Cybersecurity National Lab of Cini, the Interuniversity Consortium for Information Technology, to verify the contribution and benefits that the certification with respect to the quality of defense systems against the action of cybercriminals.

To do this, two samples of public and private companies were examined and their respective websites were analysed, verifying the number of known vulnerabilities, the correct use of the Https protocol and the level of updating and security of the content management platform.

The fact that immediately catches the eye is that organizations (companies and institutions) with certification of information security management systems are exposed to cyber attacks to a extent of 23% less than those with only certification for ISO 9001 quality: of the 1,207 Web services vulnerabilities found, in particular, 524 belonged to the first cluster and 683 to the second.

The certification also has the advantage of producing lasting benefits in the company and not limited to the better management of IT risk. From the qualitative analysis that involved some large Italian companies, including Poste and the Iccrea Group, it emerged that the effort to adapt the organization to certification has produced, in the medium and long term, a profound improvement in company processes ( homogenization, monitoring, performance evaluation, auditing and more) while stimulating a growth of safety culture.