IT Security is constantly on people’s minds. The media regularly publish lurid reports of the theft of financial information, hacking exploits and most recently of the manipulation of social media to influence the US Presidential election and the UK’s Brexit referendum.
As a result, the public are less sure of their online security, and if truth be told, of the accuracy of what they are reading. As an example, customers are wary of providing financial information while making online purchases on websites. However, they still seem to fall for phishing exploits by clicking on links in emails apparently coming from reputable institutions, friends or co-workers.
It’s not just industry and commerce, ransomware attacks are increasingly spreading to personal computers and smart devices as hackers realise that people keep pictures and videos of all their treasured memories on them, and rarely back them up to the cloud or off-line storage.
IT Leaders are constantly keeping an eye on the latest threats and IT Security counter measures. But there is still a niggling thought at the backs of their minds as to the financial and business benefit to be gained by constantly increasing expenditure on IT Security.
A new industry exists to develop and maintain anti-malware and attack systems. A new breed of IT specialist has grown up around IT security, particularly in the systems, network and desktop areas. IT consultants and ethical hackers now specialise in checking corporate environments for potential areas of weakness and recommending measures to plug them.
Where then should an organisation concentrate its investment in IT Security, and where do they find the best bangs for their bucks?
If we accept that the greatest threats are not from external attacks, which are by and large protected by systems, network and desktop security, but from errors and omissions by staff, deliberate and inadvertent, then a great investment in IT Security is in staff education.
Improving staff awareness of IT Security is an excellent first line of defence. The upside benefits are less non-productive downtime and decreased expenditure in recovering from the effects of malware exploits, and potential loss of data. To be sure, there will still be successful malware attacks from time to time. Industry guru’s say the only safe system is the one that hasn’t been hacked yet.
Staff need an appreciation of IT Security as part of their induction process, backed up with frequent reinforcement. They must understand that IT Security isn’t there just to annoy them, but to protect their employment by protecting the health of the organisation.
Investment is not just staff education. Policies and procedures need to be reviewed and if necessary changed.
Investing in password polies that force people to change them regularly, and to employ strong passwords is a must. Regular visual checks to ensure that they are not written on Post-It notes stuck to computer monitors can also bring benefits.
In the IT technical sphere, default user accounts that come with systems software need to be removed. Access Control lists need to be examined regularly to ensure that they contain appropriate users and that they have the correct access rights to systems and data.
Exit procedures need to include the removal of a departing user’s access to systems and data, particularly if they are being dismissed. This is particularly important for IT systems administration staff. Leavers need to be removed from document distribution and email mailing lists to prevent ex-employees continuing to receive possibly confidential company information.
Management of backup information needs also to be looked at. Computer backup tapes with confidential and sensitive company and government information have been found in landfills and in taxis.
It may be thought that the effects of a malware attack are confined to the organisation itself. However, this is not the case. The effects of reputational damage to the organisation’s image can be much more severe and costly than the internal effects of the attack itself. Reports of a successful hacking attack will have an immediate effect on the financial health as its income drops. In listed companies, its share price will fall, affecting its ability to service shareholders and maintain its financial stability. In the ultimate catastrophe the business might fail.
It’s not just financial information. All organisations have confidential information that they don’t want leaked to a competitor or perhaps even to the public. Organisations with a research and development function are particularly fearful of confidential intellectual property information relating to their current research.
For example, media reports of the theft of customer’s financial information will make new and existing customers much less likely to buy from an organisation’s on-line store if they now perceive it as being risky.
That is why investing in IT Security is not a wasted or grudge investment, but one that is necessary to protect an organisation’s reputation and indeed, to secure its continuing existence as a going concern.