This article is more than 1 year old
Think server vulns are the IT department's problem? Think again
Don't get caught with your cyber pants down
Regardless of the type or size of business you're part of, the way we approach security has changed forever.
Gone are the days that a business can feel safe with its security design model. Attacks have become more sophisticated.
Your organization should no longer be thinking about “if” an attack will happen, but be planning for “when”.
The question is therefore, how this changes the scope of our organizational security strategy.
You need to look at the policies, procedures and tools needed to ensure your response is rapid and correct while also covering the steps that can be taken to start closing security gaps within your organization, and learning why security breaches are inevitable.
Only recently we’ve had two high-profile examples of security attack – Sony and Anthem (the latter is second-largest health insurance provider in the US).
Sony suffered a series of attacks that saw the firm have to take core business systems offline to isolate itself from outside intrusion, although not before Sony suffered an embarrassing loss of data. Unreleased films and confidential emails were leaked to the web, and employee data stolen.
Anthem saw 88.8 million private medical records pilfered from its servers while it's emerged the firm turned down an offer from the US government to audit its computer security.
In both cases, the best response firms could offer employees and customers was free identity protection services as a follow up.
The message here is simple: security needs to part of a combined business and public relations (PR) playbook. The security team within your IT department cannot standalone, and the way information is shared with customers and employees can destroy an organizations’ reputation if not done well.
Rethinking your approach and taking action can help significantly. Here are some strategic guidelines that can be used to protect your organizational employees and customers.
- Keep up with regular patching and system maintenance: Symantec reckons we can eliminate 80 per cent of vulnerabilities just by patching servers and workstations routinely. This includes updates anything and everything software related that your organization uses that patches have been issued for by the vendor. That leaves the remaining 20 per cent of vulnerabilities that you can also fix.
- Security checks with penetration testing twice a year: Routing checks that include penetration testing with third-party providers, you can help find security loopholes that need resolution. Even more importantly though, do not just sit on this information. Remediate the issues found.
- Retire the really old legacy systems: If your organization is running old equipment that is not being updated or maintained, it’s time to figure out how to get that replaced. Legacy systems typically are highly vulnerable to today’s sophisticated attacks.
- Have excellent backups, and backups of the backups: Modern-day attacks can even destroy your backups. By having a solid backup strategy in place it can help you restore your business under even the worst security violation. For example, Cryptolocker malware is a common piece of malware that has been able to destroy organizational backups.
- Use more than one technology: A single vendor cannot cover everything and represents a weak link in your security chain.
- PR and business planning: Develop a playbook with the appropriate legal and public relations folks so you have the correct response if, and when, something happens. Depending on your size, you'll have anything from one individual to a department and/or external resources you can draw on.
While this might seem like the stuff of the big boys, small and medium-sized companies can look after themselves, too. Here are some recommendations:
- Protect your PCs: Invest in one or two pieces of really good virus/malware protection software for your and do regular system scans.
- If you're hosting, chose a reputable service provider: That means somebody who keeps their back-end system updated and offer you the latest and greatest protection.
- Good backups of data: Even a small business can take what is a simple step.
- PR and business planning: This may depend on your size. At least have a legal representative start this conversation and develop a response plan that you can offer customers. On the communications side, developing a formal statement and response you can tear open will help reputation.
Now is the time to take a close look at you protection strategy and to ramp up. Falling short on your overall response, not just on the IT and cyber side, could risk the future success and reputation of your business.