So we’re all aware by now that big multinational organisations have to worry about IT security, but what about the rest of us with no real secrets to protect? What risks do we have to worry about?
We are all at risk of security breaches, in fact a major breach could be even more devastating for a small organisation than for a large corporation. If your customers lose confidence in you then that could put you completely out of business! Some of the common risks that you need to think about are:
- Ransomware. If your systems are infected by ransomware you could lose all of your data. How would you recover from this?
- Hackers. If a hacker breaches your systems and uses them to attack one of your large customers you could be held responsible for their losses. Can you afford the potential legal battle this might lead to?
- Data leaks. If you accidentally leak a large number of customers’ credit card details you could be shamed in the press, and it’s likely that many of your customers will take their business elsewhere. How would you deal with this situation?
Can’t we just leave the risks to the security people to deal with?
You certainly need to employ some people with security expertise to help, but you are the one with responsibility for the business. You need to decide what you are trying to protect, what level of risk you are prepared to live with, and how the balance should be set between taking risks and going for business opportunities. If you leave all of these decisions to people whose only focus is security then they could make decisions that do your business more harm than good. Even worse they could design and implement controls that are so out of line with how you run your business that everybody ignores them – resulting in all the expense of security with none of the benefits.
Are there really lots of security risks associated with the cloud? Would we all be better off running everything on our own servers?
You need to consider the risks and benefits of cloud services in exactly the same way as you consider other risks and benefits. Nothing is ever completely safe, it’s a matter of understanding what the risks are, and deciding if they are worth accepting. Using cloud services isn’t risk free, but running your own servers isn’t risk free either and a cloud service provider might have much better technical security controls than you could implement yourself. If you are thinking of using a cloud service you need to make sure you understand who is responsible for protecting your data, and what risks you are running, and then make a balanced decision.
So we’ve installed our firewalls, and we’ve got anti-virus software on all the PCs. Surely we’re protected now? Or are there other tools we need as well?
Security is about much more than implementing technical controls. You do need the sort of controls you’re describing here; anybody who doesn’t use these will almost certainly have regular security breaches, but you also need to think about your people and your processes. What people and process controls do you need to complement your technology controls?
For example, do your staff all understand the risk of phishing attacks and how to protect themselves? Do people make sure that all sensitive data is encrypted whenever it’s copied to portable devices? There’s no point in having lots of great security technology if you don’t use it properly. Every time there is a report of a major security breach, the underlying cause includes somebody doing the wrong thing, either through ignorance or because it made their life easier. You need to ensure that your people are part of your security solution, not part of the problem.
What about phones, tablets and the Internet of Things? Are there any special security issues connected with them?
The constant connectivity that we get from our phones and tablets is fantastic for business productivity. My people really need this to get their work done, and I certainly don’t want to limit them. They do, however, introduce some extra security concerns, and you need to manage these. The solution to this is, like most areas of security, a balance of people, process and technology controls. The technology includes things like data encryption, to ensure that lost devices don’t cause leaked data; VPN connectivity to protect against eavesdropping in hotels and coffee bars; and mobile device management, to help ensure that patches are installed and everything is configured correctly – and to enable you to remotely wipe sensitive data and disable a device if, as will inevitably happen at some point, one gets lost or stolen.
Even more important are the people controls – your staff need to understand the things they must do to support information security. For example, they should know what data can be stored on portable devices, and what should only be kept on secure servers in the office. They need to be able to recognise risky apps that could compromise their security and take care never to install them, and they need to be careful about any links they follow from emails and social media. You need documented company policies to cover all of these requirements and, just as important, you have to make sure that everyone understands the policies, and understands the importance of following them.
But what if the worst happens? You think you’ve got everything protected and then there’s a security incident. Now what?
You do need to plan your response to security incidents. It’s almost impossible to get things right if you haven’t planned and practiced what you need to do. If you detect security incidents quickly, and respond effectively, then you can often contain the damage, turning a potential disaster into an inconvenience. These are the things you need to think about:
- How do you detect security events and how are they then reported?
- Who makes the initial response and what will they do? For example, is it more important to preserve evidence or to recover the business?
- What triggers a need to escalate? If you do need to escalate who takes the next steps and what are they? What documentation should be created about the incident and the response to it?
- Who owns the security incident once it has been escalated? Often this will be an emergency response team including senior management and communications experts as well as technology experts. How will they balance conflicting needs to communicate, to preserve confidentiality, to restore service, to preserve evidence etc.? What skills, knowledge and tools do they need? You may want to create standard communication templates to help you get your messaging right, but you will need to modify these during any specific incident to cover the exact situation you find yourself in.
- After you have resolved an incident, what else needs to be done? At a minimum you need to document any vulnerabilities that allowed the incident to occur and make sure that you eliminate them across all services, not just the one that was affected this time. You also need to hold a final incident review. This should include reflecting on what was well managed and on anything that could have been managed more effectively, so that you can keep improving your security incident management process itself.
You need to rehearse your incident management plan in a variety of scenarios. It’s much better to detect that it doesn’t work properly when the impact is negligible than to wait for a real incident.
Security incident management seems very complex. Wouldn’t it be better to have such good protection that there are never any incidents at all?
However careful you are, and however many security controls you implement, you can’t completely prevent every possible security incident. You could reach a point where you have so many controls that you just can’t do business any more, and this still wouldn’t be enough to defend against all possible attacks. You need to get the balance right between controls that prevent incidents, and controls that allow you to detect incidents and respond to them.
There have been cases where security breaches haven’t been detected for many months, allowing the attackers to keep extracting data – so make sure that you can detect unusual activity that may be an indication of a security breach, and that you always investigate this to detect incidents quickly. A breach that only lasts a few minutes will have a much smaller impact than one that goes on for months or years.
Is there anything else we should be doing?
The most important thing to remember about information security is that EVERYONE is involved. You need to make sure that all of your people understand the risks, and that they all take an active part in protecting your information and your organisation. Train people to think about security and keep issuing reminders in ways that make them stop and think. Carry out regular audits to ensure that the controls you think you have in place are actually working. And never stop trying to improve.
Sarah Lahav is the CEO of software and services company, SysAid Technologies
Image Credit: jijomathaidesigners / Shutterstock