Recently, Foxconn Technology Group, the global leader in contract manufacturing, experienced a cyberattack by the ransomware group "Nitrogen Ransomware" at some of its manufacturing sites in North America. According to foreign media reports, the hacker group claims to have obtained a large amount of internal confidential data.
Regardless of the ultimate content and scope of the leak, this major incident has sounded a wake-up call for the industry:Information security is no longer an issue only faced by large corporations.
Many small and medium-sized enterprises (SMEs) often overlook security, believing their "small size and inconspicuous targets" make them less of a risk. However, in today's highly connected supply chains, failing to establish at least basic defences means that if accounts are compromised, servers are infiltrated, or files are encrypted by ransomware, the impact will extend beyond a few paralysed computers to the entire enterprise'sOrder fulfilment, production lead times, customer trust, and indeed the entire operational lifeline.
How can SMEs protect themselves? A look at 5 core controls from ISO/IEC 27001:2022
Facing increasingly severe cyber threats, how should SMEs get started? From the perspective of the new ISO/IEC 27001:2022 Information Security Management System, it is recommended that companies should at least conduct a comprehensive review of the following five core controls:
1. Prevent leakage of core assets: Data Loss Prevention (A.8.12)
A company's lifeblood is its data. You must ensure that customer data, product design drawings, BOMs, quotations, contracts, and test data are not easily downloaded in bulk, sent externally, uploaded to private cloud storage, or copied out via USB.
- Practical advice: Companies can assess the implementation of a DLP (Data Loss Prevention) system, establish strict access controls and a classification system for confidential documents, and set up approval mechanisms and abnormal mass access alerts for external transmissions.
2. Identify and address potential threats: Activity monitoring and logging (A.8.16 & A.8.15)
Most hack attacks do not erupt immediately upon infiltration, but rather lie dormant within the corporate network, scanning and moving laterally. Without log records, it is difficult for companies to trace the source of the disaster.
- Practical advice: Companies should properly retain system logs for VPNs, AD servers, firewalls, EDR, and cloud platforms. Concurrently, critical alert mechanisms should be set up, such as: abnormal logins outside of business hours, large downloads in a short period, or suspicious external connection requests.
3. Ransomware's last line of defence: Information backups (A.8.13)
The most lethal ransomware attack method is to simultaneously encrypt a company's "official data" and "backup files". Therefore, backup strategies cannot remain at the stage of "just having backups".
- Practical advice: It is essential to confirm whether the backup mechanism possesses the characteristics of "offline storage" and "immutability." More importantly, restore tests must be conducted regularly, and a clear assessment is needed of how much time the enterprise requires to fully resume operations (RTO) when a major incident occurs.
4. Establish firewalls to block spread: Network segmentation (A.8.22)
Putting all devices in the same network environment is a very dangerous practice. Office administrative computers, production line machinery, core servers, R&D databases, and financial systems should not share the same network segment.
- Practical advice: Implement appropriate network segmentation. This way, even if one office computer becomes infected, the damage can be contained locally, significantly reducing the risk of the disaster spreading throughout the company or even paralysing production lines.
5. Crisis Management: Information Security Incident Management Planning and Preparation (A.5.24–A.5.26)
When cybersecurity incidents actually occur, what companies fear most is a lack of leadership. Who is responsible for the initial notification? Who has the authority to order system isolation? Who is responsible for making decisions? Who will communicate with affected customers and suppliers? Who will lead the subsequent system recovery?
- Practical advice: These response procedures and role divisions must be clearly defined in advance and war games or physical drills must be held regularly to ensure the team has practical response capabilities.
A clear demonstration of management consulting's professional viewpoint: Making Cybersecurity a Competitive Advantage for Enterprises
ISO 27001 shouldn't just be a certificate on the wall, but a long-term system that helps enterprises transform "cybersecurity risks" into something "manageable, trackable, and improvable".
For most SMEs, resources may be limited, but what's truly crucial is to first establish a basic defence, achieving:
✔️ Least Privilege
✔️ Don't leave documents lying around.
✔️ The record is visible
✔️ Someone is abnormally concerned.
✔️ Backups can really be restored.
When your business can demonstrate robust data protection capabilities to clients, information security is no longer just an IT cost, but your best competitive advantage for securing orders from major international firms and winning customer trust.
Is your business ready for unknown cybersecurity challenges? Welcome to contact 【Bright Proof Management Consultants】. Our professional team will assist you with an enterprise cybersecurity health check, and tailor a practical and feasible information security management framework that complies with ISO 27001 standards.