Security is a serious business

Security is a serious business

It's hard to get the peace of mind that your business is secure. Today's threats are complex and ever changing. The media is often full of stories of companies of all sizes, including multi-national corporations failing to protect themselves adequately.
IT Security is something which should be taken seriously and embedded into an organisations’ processes.

International finance experts PWC undertake yearly research into how security incidents affect UK companies. Some of the key findings for 2015 were as followss:

• Incidents have doubled in the last year
• Insider incidents where staff are responsible are as likely as external threats
• Nearly 9 out of 10 large organisations have had to deal with an incident in the last year
• Many businesses incorrectly believe moving to the cloud solves their security issues
• Expenditure on security is decreasing but the cost of incidents is increasing
The fundamental principles of IT Security are:
• Confidentiality – Information can only be accessed by authorised persons and for authorised purposes. 
• Integrity – Changes to information are controlled and auditable
• Availability – Information is always available when needed

It’s clear to see that security is much more than just a password or installing a free anti-virus program.  Indeed, “information” isn’t really just the data – it’s the whole system and the processes around it that you are responsible for. As a business owner/manager you have a duty to your organisation to ensure these fundamental principles are met.

In the UK, Data Protection takes this further and adds that information regarding an individual must be used fairly and lawfully and must have its use restricted to defined, specifically stated purposes. Failure to do so can lead to large fines and/or a jail sentence!

Implementing a security policy is an in depth process which starts with a risk assessment of systems and processes in your organisation and documenting, understanding and protecting your information whilst enabling it to help you manage.
Consider some increasingly common examples of the risks:

• Malware encrypting or locking access to company data.  What if your accounts, data or entire customer database was inaccessible and you had to pay ransom to get it back or your year-end accounts miss HMRC filing deadline.
• Poor authentication and authorisation controls are common place in the SME market eg password sharing and poorly secured wifi, resulting in data loss and reputational damage
• What if a member of staff accidentally (or even deliberately) set out to delete key historical data over a period of time and at a later date this critical data is required by the business?  Can the business attribute this action to an individual and should it have been possible for this to have happened in the first place?
• Your computer systems or perhaps telephone system fail on the busiest day of the year meaning you cannot take customer orders.  What’s the true value of this?  Is it the lost orders today or is it more?  Will customers come back to you knowing you let them down?
• A member of staff is sacked and marched out the building.  Their password is disabled. That night they sit outside the office and connect to the wireless using the one password that everyone shares. They change or delete key data. How will you respond once the issue is discovered?
• Old outdated software such as Windows XP, Office 2003 and all versions of Small Business Server no longer receive security updates, leaving new security holes being found and exploited, with no protection by antivirus. Malware steals the company on-line banking details and account is emptied. Can the business survive?  Will insurance pay out?  Can you or the police prove what happened?

When thinking through some of these scenarios, the first thought is often to “batten down the hatches”.  A careful and considered approach is best.

What you should do:

• Balance protect with utility – don’t secure things so far that people can’t do their jobs
• Actually follow confidentiality as best practice – if a member of staff doesn’t need access to a set of information make it so that they simply don’t have access. Protect everyone and allow access on a needs basis.
• Parallel defences – “Think military”, well perhaps not quite. Have an independent process which is able to tell you whether your virus protection is working or not. Out of sight truly is out of mind.
• Plan for failure – systems, both physical ones and processes WILL. Plan for incidents with a high risk and a high impact.
• Audit and record – if systems fail and something bad has happened you at least need to know the why, when and who. Without this you’ve got no chance of pursuing action or of even learning from the mistakes.
• Test – there’s absolutely no point implementing systems if you don’t test them, so when did you last do a restore from your backup tapes?
  Where a Full Service IT Support Provider can help:
• Dedicated systems and processes allow us to implement the primary systems correctly but also run the parallel systems to check they are actually working.
• Carry out an Independent Business IT Audit to uncover all the potential information security risks within your organisation.
• Ability to run routine tests and “war game” scenarios to test that security is working.
• Helping clients achieve ISO 27001 or “Cyber Safe” (increasingly a ‘must have’ for Government agencies and other sectors).
• Bringing extra resources and skills eg in disaster recovery (DR) or project management.
• External independent staff to investigate any incidents and provide independent assurance to management and shareholders alike.
• Part or Full managed service.
• Implement regular and routine activities and provide simple, understandable management reports

Be safe!
Luke Bailey, Technical & Managing Director at Digital Evolutions