Five ways to be more secure in your IT systems
Companies have always been wary of hackers – security has long been a high priority for CIOs – but recent major cyber attacks, such as WannaCrypt and Petya, have demonstrated how vulnerable some systems are. The release into the wild of zero-day exploits has led to a nuclear war when it comes to cyber crime – the stakes are so much higher now.
How can a company best protect itself? There’s no absolutely foolproof system. Any computer infrastructure connected to the outside world is going to have some vulnerabilities, but here are five ways to make it more secure—as you can see, the good news is that we do not need to invent anything new to effectively reduce risks:
1) Keep patching up to date
There’s been a reluctance by organisations to keep systems up to date. In some ways, it’s easy to understand why this is: patching several hundred PCs is going to take some time and is going to cause significant disruption to business. There’s a real downside to this attitude though; by delaying patching businesses are knowingly putting themselves at risk.
This was particularly true of the WannaCrypt attack: it was revealed that several of the NHS servers that were hit were still using Windows XP—an operating system that has been out of support since 2014. Not only that, but although it was possible to patch these, the lack of a will to do this meant that NHS staff felt the full effects of the virus. Every organization needs the machinery to patch and to keep systems current, and as we will discuss below, the will power to expend the resources to ensure that the processes are working properly.
2) Focus on the weakest link in your system
Cyber criminals will go for the weakest part of a corporate infrastructure – the users And today’s cyber criminals have become exceptionally good at tricking even the best-trained users. By using targeted techniques to coax users to give up passwords and other information used to log into systems, attackers can bypass an organization’s security controls by masquerading as the user. And while IT staff are often savvy about security, too few businesses have established different levels of security so that parts of corporate networks are closed to some users.
Businesses need to focus on three key areas:
A) much better education for all employees – the use of better passwords, no Post-It notes on PCs, no random USB drives that are free to be inserted into corporate computers
B) the use of two-factor authentication, which requires biometrics or a token to reach sensitive information and systems (something more than just a password) and,
C) tighter control of corporate networks, which give extra security for those sensitive areas that need it and don’t allow access to everything for everyone.
3) Get the Board and senior management focused on security
In the past, computer security has been left to the professionals: the IT and security professionals that is. This is no longer good enough for companies; to be secure, there needs to be buy-in from the executives, from the CEO downwards.
There’s a growing recognition from C-level executives that they have to take security seriously. This is partly because of existing and forthcoming legislation, but mainly because managers are now more fully aware of the implications of a security breach.
When Yahoo revealed that it had suffered a breach that affected one billion accounts, it felt the effects in the most eye-opening way possible: when its acquisition price fell by $375 million. That’s a stark illustration of the cost of reputational damage of a security breach. When executives are hit in the bottom line to that extent, it affects share price— and that affects bonuses and stock options. It concentrates minds wonderfully.
It’s therefore important that the CEO, CIO and CISO are at one on this. That means talking the same language: the CEO should have a thorough understanding of any possible security threats (and ensure that technical staff are given the right support), but CIOs and CISOs should also be knowledgeable about business risk too. Companies where business executives are cross-trained and work together with IT executives and vice versa are likely to have more intelligent conversations around risks. And that leads to better processes and better protection.
4) Security is about processes and not about tools
There’s been a long-held assumption that better security is a case of buying bigger and better kit: you get what you pay for, right? Well, it’s not. The most expensive, top-of-the-range intrusion prevention systems mean nothing if the company hasn’t got a thorough, all-encompassing security policy in place with the processes to back it up. This means the management taking security policies completely on board; making sure systems are patched and that there are sensible data classification and protection policies. Most of all, staff need to be fully aware of their responsibilities and have a heightened sense of what’s secure and what’s not.
Coming back to the executives, there needs to be the willpower to put projects to improve the support of their IT systems in line with other business-level initiatives—growing the digital business of today on a shaky technical foundation eventually catches up to you.
For businesses who deal with European customers, the forthcoming General Data Protection Regulation (GDPR) will concentrate minds as it sets out a whole range of responsibilities for organisations dealing with customer data – on pain of severe penalties.
5) Don’t assume that someone else will help
All the previous points underline one thing; a company is responsible for its own security. Don’t rely on the police, the government cyber security units, regulators, or any other outside agency to do your job for you. Many cybersecurity and law enforcement agencies are severely over-stretched and are unlikely to be impressed by companies who obtain the benefots of technology, fail to put in place any serious cyber protection, and are quick to report a breach.
Companies that are alert to cyber threats, however, and have established a strong, security-minded corporate culture with the action to back it up should be more confident that they can negotiate the current level of threats – making sure their executives can breathe more easily.