Listen to the article (0min)
If you don’t know what you have, how are you going to protect it?
Keeping systems safe has been a challenge for decades. Unfortunately, it’s getting harder. There’s more cyber criminality for sure, but the attack surface (what can be attacked and the myriad ways to exploit weaknesses) is greater than ever.
Protecting systems requires knowing what you have and what’s connected to your network, which applications are in use and who has access to these, what data is being processed, shared and stored, and understanding the appropriate security measures to adopt to keep everything safe.
Prior to cloud computing most systems were housed in company operated datacentres and users sat behind firewalls, working from an office.
These days the situation is greatly more complex, with remote staff, application sprawl (there’s seemingly an app for everything), cloud services, contractors and fractional workers, software as a service, managed service providers. If all this is your responsibility, it’s difficult to ensure you have security in hand, especially as it’s much harder to keep tabs on everything when it’s so distributed and diverse.
Keeping tabs on everything
Inventories and CMDBs
To be able to protect systems and data from attack, you first need to know they exist.
It is critical for businesses to maintain accurate inventories and ensure there are appropriate levels of rigour surrounding systems and data management.
It’s also critical for tracking the lifecycle of IT assets from procurement to disposal, which has both financial and environmental implications and should help in ensuring compliance with licencing agreements.
Once you have established what you have, you should then ensure you document how it’s been configured.
A Configuration Management Database (CMDB) is a database or repository that stores information about the nature of systems and their configurations, as well as documenting change history and dependencies. All are vital for ensuring systems are secure and functioning optimally.
Inventories and CMDBs would contain information on:
- Hardware – Such as employee computers and devices, servers, routers, switches, storage devices, and other physical infrastructure components.
- Software – Including operating systems, applications, databases, and associated software components, even Infrastructure as a Service and Software as a Service platforms. The latter may not be managed by you, but the data you feed it is still your responsibility.
Aside from being vital for effective trouble shooting and incident response, by maintaining a comprehensive and up to date CMDB, organisations can improve the efficiency and reliability of their IT services, while reducing risks associated with changes and incidents.
Shadow IT
The ease with which we all download apps on phones and tablets has found its way into the workplace. And it’s known as Shadow IT when it’s done without the knowledge of the IT department.
It generally happens because people need to do things quickly or prefer another tool for a job, other than the one on the approved list, so they bypass policies that require approvals and use of only sanctioned applications or services. It can quickly get out of hand if it’s not controlled and managed.
It can also have serious consequences for a business. It may result in out-of-control expenditure, which can happen when people sign up to pay-as-you-go services; or become a risk to the business should employees using personal cloud storage services (e.g., Dropbox, Google Drive) to store and share work-related documents that might contain confidential, sensitive and personal information which may not have sufficient protections in place.
Data
It’s not only systems that need documenting and managing securely. At the root of it all is the information that sits on them.
Your company’s data is the lifeblood of the operation and may underpin its value. If you lose access to that data or it falls into the wrong hands, it can have a catastrophic impact on your business.
If you hold data about individuals, it must be for justifiable reasons, and you must protect it. If you don’t you may be fined or face jail time for the most serious offenses. While the penalties that can be imposed in accordance with the Data Protection Act (UK) are merely financial, they can be extremely high, amounting to as much as £17 million or 4% of the data controller’s global turnover – whichever is greater.
You must learn how to protect information in the business as it is stored, processed and transmitted.
What to Consider
A cyber-ready business has an accurate inventory of systems, keeps them up to date, tests them to ensure they’re configured safely, knows who has access to what and allows only appropriate levels of access – dependent on roles, responsibilities and when it’s required.
- Undertake internal and external scans to see what’s connected to your network and associated with your business. You might be surprised to learn what’s out there. You can’t protect it if you don’t know about it. If it’s no longer needed, it should be decommissioned or removed straight away.
- Cybercriminals undertake vulnerability scanning to identify security holes in your systems and networks. You can regularly run these same tools yourselves, to identify and remediate vulnerabilities before they can be exploited by an attacker.
- Implement secure configurations so that your physical and virtual assets are protected. Cybercriminals can exploit environments using vendor tools and programs loaded on your machines by default when they are manufactured, and when you install new software. You should remove any that are not essential for business operations.
- Retire unsupported hardware and software as soon as possible. These will not be receiving updates, including fixes for security flaws. This is where an accurate inventory and good vulnerability management comes in.
- Lock down devices so that only approved software can be installed, and only by an administrator if possible.
A cyber ready business also knows what information resides on their networks, in cloud services and on internet facing assets.
- Create a data inventory and where possible identify what information is critical, such as proprietary research, financial information, personally identifiable information (PII) - any information connected to a specific individual that can be used to uncover that individual's identity. Put tighter controls on this.
- Encryption is the process of protecting information or data by using mathematical models to scramble it in such a way that only the parties who have the key to unscramble it can access. Some modern operating systems do this (or it can be enabled with native tools); a lot of good hardware and software offers this for data in transit and at rest, there are ways to ensure your browsing is hidden and more secure methods for web access. Adopt these methods where possible.
- Remember that cloud services may not have the levels of protection you assume. Check with suppliers and providers to ensure you are covered in the event something happens to them.
- Monitor data in transit and at rest if needs be. Understand and monitor behaviours on the network and have alerts in place for anything suspicious or out of the ordinary
. - If you don’t have a Data Protection Officer (DPO) or someone performing that function as an extension of their role, you may need to investigate it. In respect of GDPR, they can advise whether it’s necessary to perform a Data Protection Impact Assessment. For further information see ico.org.uk.
How can ProcessorCentre help
By nature, this is one of the more technical elements of protecting a business. It is likely you will need to lean heavily on IT to ensure these elements are in place. They in turn may benefit from external help, some time from a technical consultant to assess systems and provide actionable advice.
You may be guided by external demand – a customer, supplier or regulation requiring that you have good cyber hygiene in place for your systems. These days it is common for Cyber Insurers to ask many of these questions about you, your IT, and any external parties you rely upon for systems delivery or support so they can assess your risk. If you score well, it should reduce your premiums.
Whatever the source, we are familiar with these questions and can guide you as to the best action to take, to help you to create secure systems and provide services to keep them that way once a good baseline has been established.