By Birgitte Agergaard
Phishing, DDoS, Trojan horses, worms and viruses – the cyber-crime vocabulary is virtually a zoo of subversive species. Do you have the right security level; are you compliant according to law and what is really the weak point in your company? In this article John Clayton, management consultant at NNIT, discusses how to get an overview of the company’s vulnerabilities and how to protect the business against cyber-crime.Security spans the entire business: It is not just about technology, but also about processes and people. Ultimately, security is about staying in control of the company’s information assets and ensuring the confidentiality, integrity and availability of these. According to John Clayton, management consultant at NNIT, the challenge is to strike the right balance between maintaining control and ensuring smooth workflows.‘You want to keep external intruders out, and at the same time facilitate an internal working space where the security precautions aren’t perceived as a hindrance and a nuisance. Otherwise there is a risk that some employees could attempt to find their own solutions, which could unintentionally open a flank in the company’s defences. Therefore, you have to limit the downside of control and strike the right balance – but how do you determine how much security is enough security?’, John Clayton asks.
To help strike the right balance NNIT offers a ‘Security Assessment.’ The purpose of it is to assess the current IT security state and establish a solid foundation for an IT security strategy – this is mandatory in many industries and serves well as an integral part of good business practice for operational stability. NNIT’s consultants will identify the current vulnerabilities, define the right level of security, and plan how to reduce the security risk profile using a step-by-step approach.‘It is our experience that the security assessment provides a valuable overview enabling the organisation to identify, prioritise and tackle the most urgent security risks first. We also see that the health check acts as a catalyst to establishing IT security firmly at the C-level of the organisation – this is key since security spans the entire business and is not just confined to the IT department.
‘Cyber-criminal activities are a business risk. And the combination of cyber criminals and advanced software tools makes staying ahead of them a constant challenge. So, on an infrastructure level you have to make it as difficult as possible for them to get the information they are after. By making it cumbersome and timeconsuming to bypass the corporate defences, you also reduce the ‘Return on Investment’, so to speak, thus reducing its attractiveness.’According to John Clayton, the best way to protect the company’s information assets is to have a defence in depth strategy, i.e. a series of security measures complementing each other. ‘Apart from a firewall, you would want to control the connections to the internet with intrusion prevention systems and ensure that sensitive network traffic is encrypted, you would look at network segregation, data loss prevention software and you would also look at the application layer. I would like to emphasise the importance of having a gold-standard patch management process to ensure that your applications are promptly updated – otherwise, there is a risk of becoming a sitting duck for attackers attempting to leverage the vulnerabilities in unpatched applications.’‘To maintain an adequate and effective level of security, security should be considered as an ongoing process – a one-time fix doesn’t exist. New technologies and trends such as mobility, cloud, social and also virtualisation each introduce the possibilities for new vulnerabilities – and the business needs to react to this.’
The Security Assessment assesses the current security state of the company and establishes a foundation for the development of a security strategy using ISO 27001 and other security related best practises. The Security Assessment consists of a workshop, analysis, report with findings and next step recommendations.