Cyber security for the non-technical - Business Works
BW brief

Cyber security for the non-technical

Carmen Carey, CEO, ControlCircle A n educated, security-aware workforce, combined with a solid, in-depth security system and well-defined security policies delivers the strongest defence against all types of threat. In this simple to understand article, Carmen Carey, CEO of ControlCircle, offers a ten-point plan that will give you a clear view of the risks to your business (whatever its size) and the ability to respond to and nullify those threats, both now and in the future.

Every day, thousands of cyber attacks are taking place on the Web - 69 attacks per second, to be precise. The majority of these go unnoticed or unreported, in many cases because thatís what they are designed to do - to stay under the radar and undiscovered. Malicious parties are choosing their targets, gathering information about them from a range of sources (such as LinkedIn, Twitter and corporate websites) and exploring vulnerabilities in 'spear phishing' attacks, under cover of innocent-looking communications.

So, as security threats change, how does a business ensure it can protect itself? One thing is clear: the security protection itself has to change. No organisation can afford to continue the security buying and deployment habits of the past decade, where different solutions are collected and bolted together in a piecemeal fashion.

This approach is costly and has become unmanageable - and if it isnít manageable, it isnít secure. The Ponemon Institute conducted a survey of over 2400 IT security administrators around the world. The majority said that managing complex security environments is the most significant challenge they face, with over 55% using solutions from over seven different vendors to secure their network. Organisations are struggling with minimizing the total cost of ownership (TCO) and maximizing performance.

Nearly 30% of respondents said that their primary concern with emerging technology adoption is compliance. With the proliferation of cloud computing, mobility, Web 2.0 and file sharing applications, organisations often struggle to apply the appropriate levels of security across all layers of the network, while also adhering to stringent compliance requirements. These new technologies also make security more complex and increase the risk of data loss by employees or other insiders.

So there are three key dimensions to security that need to be understood. To enforce better protection, organisations have to approach security with a holistic view of their environment, to understand where risks can reside. Then they need to define a clear policy that aligns with their business needs and industry regulations. Finally, they need to educate their people - their employees and partners - on their vital role in maintaining the organisationís security profile.

Here is my simple ten point strategy to help you assess your organisation's vulnerabilities and put together a strategy to manage your information in a way that can be scaled to suit future needs - regardless of the size of your organisation.

1. Policies Matter

The first stage in fully aligning security with your business needs is to evaluate your companyís IT security policies. When were those policies last looked at and updated to reflect new communications channels, such as the use of smart phones and other mobile devices for email and network access, or the use of social media applications?

Furthermore, when were the policies distributed to your employees? Have they even read them, let alone understood what they mean? Recent research suggests that security awareness is low amongst employees in UK companies: in the Ponemon Institute study, 53% of UK administrators believed that staff in their companies had low, or no awareness of security policies and compliance issues.

To make a security policy relevant, first it has to truly reflect what goes on in your business right now. Are staff using personal laptops, smart phones and storage devices for work? If you havenít audited usage of personal devices in your business yet, the answer is simple: yes, personal devices are being used and your corporate data is on those devices with or without your approval. Are staff using social media and Web 2.0 apps for work purposes? Yes, and for non-work purposes too.

An effective security policy starts with a complete, realistic audit on your organisationís networks and devices which takes into account the types of computing happen in your business; what data is being processed, by what devices, and where; the potential ramifications (both legal, regulatory and imagewise) if that data is lost, stolen or sent to the wrong person; and the avenues that potential hackers could use to breach your systems. This means having the ability to identify security needs and gaps in defences, in order to understand where risks may reside.

Once the policy is defined, it has to be understandable by employees at all levels, not just by staff who know their IPS from their IDS. This means the policy should be presented in simple business terms, not just technology terms. For example, it should contain simple instructions such as:

  • Laptops used for business purposes must have data encryption deployed on it, whether the laptop is company issue or personally owned;
  • Any data copied to removable devices must be strongly encrypted. You should only use your company-issued device for this;
  • Your use of social media applications within the office (LinkedIn, Twitter, YouTube etc) will be monitored and actions logged.

Most organisations today do not have policies that are easy to understand and they often neglect to inform their employees of these policies. As employees are a critical element in IT security, with increasing numbers of attacks aimed at 'hacking the person' Ė getting your employees to make a mistake Ė in order to access sensitive information, itís vital that your staff understand and buy into those policies. We will go into more detail on how to actively enforce policies at critical security decision points later.

2. Mind the (technology) gap

In step 1 above, we mentioned that communications channels and business tools continue to evolve, which means security threats are evolving along with them. To take just one example of a typical security breach, data loss, the survey found that just 25% of UK organisations had not suffered a data loss. Of those that had, 54% were caused by lost or stolen equipment; 25% by hacking attacks; 22% via a web application or file-sharing site and 6% by sending emails to the wrong recipient.

So, organisations are almost as likely to lose data via a Web 2.0 app as they are from an active, malicious hack on their network. Whatís more, simple unintentional actions such as mislaying a device or clicking 'Send' on an email too quickly are more likely to cause a breach.

data security

As such, the network audit we recommended in step 1 will highlight the way your business is using your IT resources, and the threats it faces from that usage. This in turn will highlight what additional protections may be needed to plug gaps that are not covered by your existing infrastructure Ė such as Data Leak Prevention (DLP) to monitor outgoing email traffic; User and Application Control solutions to give per user, policy-based management over the use of Web and social media applications; Intrusion Prevention to help mitigate the risk of hacking attacks and nullify Advanced Persistent Threats (APTs); Anti-Bot protections to stop network botnet infections that can cause an organisation to be spam blacklisted and consume bandwidth - and more.

3. Consolidate, donít compromise

As touched upon earlier, managing the complexity of security is a growing concern, frequently raised by organisations of all sizes. According to the Ponemon Institute, itís the biggest security challenge companies face currently. This is really no surprise: security environments today have become more complex than ever, as businesses constantly struggle to raise their level of security and cope with the latest security threats. As they add more layers to their security infrastructure and deploy a variety of point products for specific protections, organisations often end up managing 10 or more different systems, vendors and platforms.

Not only does this become very difficult to manage, but it is also inefficient and expensive, financially and operationally. This is compounded by the need to deploy technologies such as: IPS, Firewall, VPN, Anti-virus, Anti-Spam, Network Access Control (NAC) and more at both network level, and also on growing endpoint estates, such as smart phones and laptops.

More than ever, organisations need an approach that moves away from offering a plethora of different security products that addresses each problem individually. Instead, they need a flexible, extensible infrastructure that provides the security protections they need now, with the ability to grow with their evolving security needs.

4. Boundary Issues

Earlier, weíve touched on the growth of mobile computing and how it is already part of the daily work life in most companies. IT teams are struggling to keep up with all the devices their employees bring onto the corporate network As well as laptops, technologies that started in the consumer market have found their way into business environments. Consumer hardware, such s (iPhone, Blackberry or Android devices) and tablet computers have now found their place in business.

To keep ahead of the consumerisation trend, businesses must ensure that all corporate data and resources transiting on these mobile devices or services are protected, while guaranteeing their employees secure access to the network anytime, anywhere.

The starting point, as we mentioned in step 1, is auditing all the devices in use in an organisation and who amongst your employees are using them for network access, processing emails and so on.

Then, once you have established where exactly your organisationís boundaries are, you can apply protection: either by provisioning centrally-managed security for each device, or even by issuing employees and partners with personal virtualised workspace solutions.

5. Secure your data

Having established where your organisationís boundaries are, itís critical to secure your sensitive data wherever it resides. Although data can be regarded as being relatively secure on servers behind the corporate firewall, itís only a couple of clicks away from being sent out of the organisation by email, copied onto a USB memory stick, or replicated on a mobile device.

So you should deploy multiple layers of security to protect against these eventualities. A Data Leak Prevention (DLP) solution will help to mitigate the risk of inadvertent data losses by email. Endpoint data encryption solutions can automatically encrypt data being written to removable media, to ensure that data stays protected even if the device is lost or stolen.

Endpoint solutions can also protect laptops and s using full-disk encryption, ensuring that all data on the device is secured at all times. And as mentioned in step 4, some organisations are adopting personal virtualised workspace solutions, enabling employees to access their desktop securely from any machine and keeping sensitive data protected.

6. Educate and empower, trust and verify

In step 1, we mentioned that your employees are just as important to the security process as the IT solutions you deploy. Most organisations donít pay much attention to the involvement of users in the security process. In fact, the attitude often expressed is that IT security should protect users against their own mistakes. Indeed, unintentional actions by users frequently result in malware infections and accidental data losses.

However, involving employees in the security process can only enhance and strengthen protection. A workforce that is informed and educated on their organisationís security policies, as well as on their expected behaviour when accessing the corporate network and data, will play a key role in minimising risks.

The key is to make the security as seamless, transparent and unobtrusive as possible and to not inhibit usersí actions excessively or change the way they work - especially with the widespread use of social media and Web 2.0 applications for business.

The most effective way to achieve this is to make users aware of the potential security issues that are involved in a seemingly-innocuous action like sending an email, by holding up a mirror to their actions so they can be actively involved in the security process.

7. Avoiding cloud storms

data in the clouds

A large percentage of businesses, from enterprises to SMBs, are anticipating migration of at least some of their computing capability to the cloud. Simultaneously, the spectrum of cloud services is also expanding considerably, as more and more applications will be offered in the cloud throughout the coming years.

The cloud security challenges are clear: according to Morgan Stanleyís CIO Cloud survey, data security and the loss of control are the major concerns of companies Ė followed by data portability and ownership, regulatory compliance and reliability and availability.

Companies using in-the-cloud services donít always know who they are sharing their environment with and that raises serious concerns over vulnerabilities. Specialised protection is needed to secure dynamic, virtualised environments and external networks, such as private and public clouds, from internal and external threats by securing virtual machines and applications, in much the same way that conventional networks and devices are secured.

8. Maintaining visibility

As threats continue to grow and security becomes more complex, managing that complexity has become a critical issue. In the Ponemon Institute study, 42% of UK IT managers said managing security complexity and enforcing policies was the biggest IT challenge they faced.

This complexity makes it very hard to spot the clues that show when defences have been breached and a security threat is emerging. Networks and security deployments such as IPS, IDS, firewalls and anti-virus throw out Gigabytes of log data every day, and can also generate false positive alerts, often hiding emerging threats from the IT team.

These events take time to sort through - time that can be exploited by REAL security threats. The issue is insufficient context for the alerts. Firewalls and IPS donít understand the business importance and vulnerabilities of all systems within the organisation. For example, an attempted malware infection of a web server may be reported as a high-priority event by the firewall, even if systems have already been patched against it.

9. Choose the right platform

We touched earlier on the growing complexity of security estates, with new and emerging threats demanding new products to mitigate the risks, leading to 'solution sprawl'.

Your security solutions should enable IT teams to set and deliver effective, policy-driven protection, without needing constant maintenance and without complex, multi-interface management. Solution sprawl needs to be reversed and infrastructure simplified and rationalised, to contain cost and management overheads.

This can be achieved in two ways: first, by deploying a security gateway solution, which combines functions including firewalling, IPS, VPN, endpoint security, URL filtering and more onto one hardware platform. These gateways can offer excellent value and greatly simplified management, especially for smaller and medium-sized businesses, because they combine multiple best-of-breed products in a single solution.

A criticism that used to be levelled against multi-function security gateways was that they were jacks-of-all-trades, but masters of none; and that they were inflexible and could not easily be upgraded to include new protections. However, latest-generation gateways have the performance and capacity to be extensible and accommodate growth.

10. Avoid future shocks

The final step in transforming your organisationís defences against threats is to make security a central part of its overall IT infrastructure, not just an add-on component or afterthought. The security should align with your organisationís requirements, to help ensure that business can continue smoothly with minimal risk of disruption.

To do this, consider the three critical dimensions of security:
  • Gain a holistic view of your business and IT environment to define a clear policy that aligns with your business needs and industry regulations;
  • Enforce protection according to policies using integrated solutions;
  • Educate your people - employees and partners - on their vital role in maintaining your organisationís security policies and profile.

Also, maintain a dialogue with your security integrators and providers: they should keep you appraised of latest developments in solutions that could address emerging needs; and by keeping them updated with your situation, they should be able to suggest new approaches to enhance security, reduce TCO and management overhead.



ControlCircle is a leading provider of managed and cloud-based services to enterprises and online businesses. To contact ControlCircle or for more information, please visit: www.controlcircle.com



Tweet article
BW on TwitterBW RSS feed