IT Security in 2017 and beyond…
Following on from our blog in early November titled “Security In A Cloudy World”, Shaun McKay attended the annual Ingram Micro ONE conference in the USA. While he was there, one thing that really stuck with him was that security is even more important than we previously thought. Here are his thoughts on the issue.
Not that security hasn’t been a high priority in the past. But listening to some of the most respected security experts about how sophisticated security attacks have become and how much more difficult it is to prevent them, made me realise just how high everybody needs to rate security as a priority.
To put this into perspective, General Michael Hayden (ex- Director of the NSA and CIA) went so far as to highlight that the USA viewed its three biggest threats as:
- Transnational crime
And worryingly we were told, that there was uncertainty about how to govern and protect against cybercrime.
Perhaps a couple of the comments I took away will help highlight the reason I believe security will be at the forefront of IT focus and activity from 2017 for the foreseeable future:
Cybercrime won’t go away and it can’t be totally prevented
We can only aim to make it as difficult as possible for attackers to succeed
These were two early comments by Fortinet – a forerunner in the IT security devices and solutions space.
Then there were the frank statements by General Michael Hayden:
“Everybody gets breached – get over it! It’s all about recovery and resilience – not just defence.”
Well that’s kind of scary – even for those of us in the IT industry. But it does make sense as securing against cybercrime is a reactive effort. You see, the attackers have the benefit in that they are looking for weaknesses in networks, software and the human element. Whilst manufacturers and software developers do all they can to create secure systems, it is inevitable that there will be weaknesses and ways to exploit them.
So as a result, as proactive as one can be from a security point of view, there will always be an element of reactive activity. Security breaches occur and are later analysed, resulting in patches, anti-virus and so on to be updated to prevent future attacks.
So does this mean we are powerless?
Absolutely not! There is a lot any business can do to protect themselves as much as possible by planning and covering the key areas highlighted below. This also doesn’t have to be prohibitively expensive – every business has different risk profiles and a plan can be created and security addressed accordingly to fit a sensible budget.
Key aspects of your security plan
To create a plan that is right for you, the key aspects below should be considered, evaluated and the plan built around these:
- Make sure security is prioritised as very important to the business
Most businesses these days are reliant on IT to some extent, and even more importantly, are required to take certain steps to adhere to compliance regulations (such as Data Protection, PCI-DSS, HIPAA, FCA, etc.).IT security therefore should be given a priority as being integral to the business and have an associated budget as well as representation at senior level.
- Identify what information must be protected
Make sure you know where and how critical data is created, where it is stored and how it is updated. Critical data can include accounting data, customer data as well as HR records.
- Carry out a security audit
This task should be carried out by a security professional and can be either an in-house employee or – most commonly these days – outsourced. This audit will help identify vulnerabilities in your business systems as well as what data needs to be protected.The process should also reveal weaknesses at different points in your IT infrastructure (your network, server infrastructure, desktops & laptops, mobile devices, tablets, etc.) so that you can create an Action Plan to prioritise these activities and improve security.
An audit shouldn’t be a one-time exercise – cybercriminals are constantly working out new ways to penetrate IT networks and security systems. Security should be maintained constantly and effective audits carried out periodically to suit your needs.
- Ensure you include the human factor
This is the most common area for security breaches. Whether through ignorance, mistakes or malicious conduct, people are the weakest link in a business’s IT security. Ensure that you have effective policies and processes for onboarding new staff, continually reminding users to be vigilant as well as having clear instructions as to what behaviour is and isn’t acceptable in terms of the use of company IT equipment and networks.Perhaps most importantly is how they should react, who they should contact and what steps to take if they suspect they have triggered or uncovered a security breach.
- Create a security plan
This should include elements of the above assessments, decisions and policies as well as Backup & Disaster Recovery and Business Continuity solutions. You see, there is always the risk that your network and data may become compromised and your DR plan may be the quickest route to solving the challenges that result. Understanding your options for DR and Continuity and making conscious decisions with the understanding of the risks, Recovery-Time-Objective and Recovery-Point-Objectives are essential to developing your response plan to any such incidents.
- Review and test your plan
Your plan should never be a static one and should be tested and reviewed periodically to ensure it remains effective. This plan must be a “live” document that is flexible and evolves over time.
This may sound like a lot of effort – and it may well depend on your business, compliance requirements and risk appetite – however it doesn’t necessarily need to be. One thing is clear though, if your business is in any way reliant on IT, this is something that shouldn’t be avoided.
I hope this was worth the read and added a little value to you! If you have any queries, concerns or just wanting a little more information, please don’t hesitate to contact our experienced team by clicking here or calling 08456 44 79 49.