Does your company have a Plan B for its IT systems? How will you react to a successful hacker attack, stolen mobile devices, or a fire in your data centre? These questions can send most companies into a tailspin. In a global survey carried out by Kaspersky Lab, 60% of companies admitted that they either did not have an emergency strategy, or that theirs was incomplete. It’s time for Plan B, and I’ll explain how it’s done.
Reactive IT security is a bad idea. If you have corporate information stolen, or an employee loses their smartphone containing important information, you consider your response and any damage limitation options only after the fact. Good security is preventative. It is, therefore, essential to have an emergency plan in place to cover such eventualities.
Defining Your Requirements
Companies which don’t yet have an emergency strategy must first define their requirements. What needs to be protected? And — more importantly — against what? Companies with mobile employees who carry sensitive information on their laptops, for example, must have a plan in place in case those laptops are lost or stolen. Although companies with all their data centres located in Europe are not particularly at risk for natural disasters like earthquakes, their strategies should cover flood and fire. You should, therefore, start by making a list of all your IT assets, such as ERP and email systems. Assess their importance for the operation of your company, and then make a list of threats. The best way to do this is to formulate specific scenarios. Say, for example, that a power cut disables your mail server. It’s important to consider all the aspects of this – including the length of time you can function without each system. In other words, how long can your mail server be down, or your ERP system unavailable? For some companies, for example, it makes no difference if they can’t upload new website content for a day because their content management system is down. For an online news site, on the other hand, this is a major problem.
Once you’ve listed all your assets, identified the threats and formulated scenarios, it’s time to get down to the nitty-gritty and develop some solutions. Consider potential recovery measures, like using an uninterruptible power supply as a short-term solution during a power cut. These solutions should then be turned into a step-by-step concept. In detailing the processes, it’s also important to define roles for the people involved and determine how employees will be notified of an emergency.
Test the Scenarios
Any emergency plan should be tested regularly to see how well it will function in a genuine emergency. Don’t put too much pressure on yourself — no plan is perfect from the outset. Those responsible for the strategy will need to constantly revise it. Don’t be afraid to do this. No emergency plan is valid indefinitely. Instead, it must be regularly reviewed. How often this must be done is difficult to say: experts recommend looking over your emergency strategy once a quarter, but in practice annual or semi-annual reviews are the norm. Tip: If your IT strategy doesn’t change much, your emergency plan will not need revising as often.
Security Strategies Against State-of-the-art IT Attacks
Corporate IT is no longer a "set it and forget it" system. Instead, systems require maintenance and regular vulnerability testing if you don’t want to fall victim to an attack. And this doesn’t just apply to major players. On the contrary: in 2012, an average of 58 attacks per day (more than one-third of all attacks on companies) targeted firms with fewer than 250 employees.
Corporate IT is not a static entity. Instead, it is constantly changing and evolving. Unfortunately, however, attackers also move with the times and are always thinking up new forms of attack. But what, exactly, do we mean by ‘state-of-the-art IT attacks’? Kaspersky Lab has identified four trends: more targeted attacks on companies; cyber espionage and attacks against companies and countries; more hacktivism campaigns, and cyber attacks targeting cloud-based services.
Companies should take a state-of-the-art approach to protection against state-of-the-art attacks. This means using current-generation security software, which provides the best detection functions and works faster than its predecessors. Another advantage is that state-of-the-art protective software is designed to be expanded and customised without having to be reinstalled.
Keep Security in Mind
Most businesses cannot function without IT systems. This means that every business decision also affects IT, and IT security should always be taken into account when making such decisions. Companies must, however, view IT security as a priority. All good intentions are worthless if management insists on installing new servers quickly without considering the security aspects each time a new and urgent project comes along.
Use Caution with New Services
Fresh innovations and new services are, of course, part and parcel of IT. Whenever a strategic IT decision has to be made, however, companies should always analyse the security aspects and consider fallback strategies. Take, for example, cloud services: anyone implementing cloud services or shared storage for databases should have a plan of action in case their cloud services operator is affected by an IT attack.
Maintain an Overview
State-of-the-art management systems help companies to keep an eye on even the most complex of infrastructures. They model servers, workstations and even mobile devices in a single interface, providing administrators with an overview of all their IT devices. Some systems combine pure management with security functions — like, for example, malware protection or patch distribution – to provide an even greater advantage. The software should support administrators in these tasks by providing automated functions and templates. These allow recurring tasks to be completed with little effort, leaving time for other duties.
An important factor in preventing targeted attacks is ensuring that employees get rapid assistance with problems. Users who know that IT support won’t respond to enquiries for three days are unlikely to call for advice if they receive a suspicious email. In such cases, remote support would help to shorten long waits for assistance.
Corporate IT environments are constantly changing – even if it’s just a case of integrating an external employee into the network. In such cases, an automated process should check the security settings on the new laptop. Only if the defined requirements are fulfilled (if, for example, a current virus scanner and all Windows updates are installed) can the new device be activated on the company network.
Have an Emergency Plan Ready
Only those who are prepared can quickly take charge in a crisis. It is, therefore, important that IT departments hammer out emergency plans defining precisely what should happen if, for example, a file server becomes infected with a virus. Important: emergency plans must be revised at regular intervals.
Encryption Provides Added Security
Always keep in mind ways to add security to your company. In many companies, data encryption is an important topic. Even if an attacker should manage to siphon off data, he or she won’t be able to use it if it is encrypted.
Employees Crucial to Security
Even the most sophisticated security systems are, however, useless if employees are unaware of the need for security. Although threats like Flame are very sophisticated, many of today’s attackers don’t even attempt to penetrate vulnerabilities in security systems. While these are usually present, they do not tend to be easily exploited. Instead, attackers take a much simpler route: they send phishing emails to multiple employees, trusting that one of them will click on the link to an infected website. Companies should, therefore, regularly inform their employees about security topics and explain appropriate usage of social media sites like Facebook.
This article is from the CBROnline archive: some formatting and images may not be present.