We talked to Peterson Energy Logistics Security Advisor Graeme Mutch highlights seven key elements a business must consider when starting to assess the security of their business systems.
The single most important thing to get right is for the business culture to have security as a priority. If only the ICT team believes in this, then the effort will fail.
Senior management must understand that information security is as important as physical security. For most companies, particularly office based businesses, their digital assets are worth far more than anything a criminal would steal from an office location.
You want to see evidence of this culture, to be able to scratch beneath the surface and find evidence that people are asking about security requirements and that security is a factor in decision making. Information security also needs appropriate budget and resource. Understanding your estate
First order of business is to know what you are trying to protect. Which people, devices and assets are high-value? CEO’s may seem an obvious target and they are popular, but anyone with financial authority, or access to personal data can be an equally attractive target for an attacker. And it goes without saying your IT staff are prime targets due to the systems they manage.
The control people have is the next thing to consider - the more access you give someone the more harm their account can do if compromised or unintentionally make a mistake. Your default permissions should never be ‘full access’. That means there is a trade off in convenience but if a senior manager needs a report once a year perhaps it is better to have someone to send them it rather than giving them access to the data associated with the report 365 days a year.
Ransomware attacks often vary in impact depending upon how they gained access. Limiting user access to only what people need can greatly slow down attacks and often allow them to be flagged and reduce harm.Controlling where your data is allowed to go
Which devices do your employees use, and are they company issued or personal? If they are personal do you enforce any control at all? Uncontrolled devices could have anything installed on them. If you allow them to be connected to your network or to access your data you have very little control over where that data can end up. Device Management
What state are the devices you manage in? Is software kept up-to-date to patch security flaws? Are devices encrypted to protect against loss or theft? Many companies have security licensing already bought and paid for and simply aren’t using these features.Vulnerability management
Most attacks exploit widely known flaws in common software that already has a fix available but hasn’t been applied. Vulnerability management tools scan your devices and servers to quickly highlight this with the fix often very quick and inexpensive to apply.Timing
The later information security is brought into the fold the more expensive in financial and resource time it is to fix. The sooner developers know of code flaws the easier and cheaper it is to fix. Put simply, don’t build it, then secure it.Mergers and acquisitions
M&A activity brings a number of risks especially if you plan to integrate new companies into your network, and directory or Office 365 estate.
Legacy problems tend to be difficult and expensive to fix, and trying to integrate neglected systems can lumber your existing network with outdated and attack prone protocols that are difficult to disable.
Even if you don’t plan to merge the systems right away you may be taking on undiscovered breaches. An example of this comes from when Starwood Hotels were breached two years before Marriot acquired them, but Marriot were still held accountable and fined by the ICO. Graeme Mutch has over a decade of experience in IT operations, cloud and cyber security, and holds most major cyber security governance certifications including CISSP, CISM, CCSP, CSSLP and CRISC as well as many Microsoft Cloud certifications.