In business, IT security needs to be a top-of-mind priority. It is critical for organisations to come to the realisation that the security industry has become increasingly dynamic in response to the ever-present threat of a cyber-attack and as a result security measures taken with a company need to be more agile, more complex and far more responsive if they’re to be effective. By Simeon Tassev, director and QSA at Galix Networking.
This means that when embarking on a new IT project or implementation it is necessary to factor in security as part of risk management from the outset, rather than get distracted by other common project failure points like scope creep and over- or under-allocated resources.
The reality is that we are now doing business in a world where it is not a matter of “if” companies will fall victim to a cyber-attack, but rather a case of “when” that makes it important to plan for and have systems and measures in place to monitor, alert and intercept a potential attack, before it is too late.
Security needs to top the agenda
A company or organisation that ignores recent trends and events in cyber security is simply painting itself as an easy target. Given the severity of the consequences of a cyber-intrusion – financial loss, loss of confidential data and subsequent reputational damage, addressing the issue of security needs to be proactive, and not reactive.
While many organisations do acknowledge the need for security, it is time to realise that merely having the basics (like a firewall and anti-virus) in place, is no longer going to suffice as cyber-attacks are becoming more prevalent. Just recently, a large financial services institution in South Africa was hacked to the tune of R300million.
In addition, police found that there was a malfunction in the banking system caused by unauthorised access through the computer system. This malfunction allowed hackers to break into the bank’s system to obtain roughly 3 000 sets of personal data that was loaded onto forged cards and used to withdraw cash from 1400 ATMs in under three hours.
While the bank concerned managed to contain the incident within four hours, the impact on the brand has been quite severe, despite the fact that there were excellent protection measures in place. Such incidents highlight the need for both preventative measures and disaster recovery protocols to be in place before they become necessary.
Such planning needs to include disaster management, recovery, and business continuity from all angles, including steps to be taken from a PR damage control perspective.
Plan for the worst
So what needs to be done in order to defend an organisation from cyber-attack? From a protection point of view, the biggest change in IT and security as a whole is the fact that there is no longer a clear perimeter to protect, as a result of mobile devices, remote access and the interconnected nature of our business infrastructures.
It is no longer as easy to define and differentiate between internal and external zones at a perimeter level. While the threat of an intentional internal attack is no longer as likely as we once thought possible, the threat of exploiting an internal person by means of utilising their credentials or network equipment is very real. This means that it has become necessary for businesses to put in place different levels of control, within an organisation.
It is now essential to build on top of the basics (firewall, antivirus, intrusion detection and prevention) in order to respond to the complexity of cyber-risks. By working on the assumption that these foundational measures will be breached and planning for the worst-case scenario.
One way that businesses are starting to do this, is to add an additional firewall, a core firewall that essentially identifies different zones within an environment and applies different protection to these zones. For example, by placing a core firewall in front of a data centre, it becomes possible to protect it both from the outside, and from internal threats as well. Such measures require access to be defined and granted according to a user’s job description offering granular control within an intelligent firewall.
When starting a new IT project or implementation, security is not the responsibility of the project manager, who merely has the role of co-ordination and execution. The business owner must accountability for security, and the technical lead needs to take responsibility where there is no Chief Information Security Officer to translate the technical aspects of the project into business impact in order to assess and understand the risks associated.
Regardless of the individual championing for IT security, such planning and actions need to be taken up-front, before the project kicks off and must be planned throughout the lifecycle of the project, with appropriate steps in place to deal rapidly with the worst-case scenario. In light of the increasing complexity of cyber threats, it is meaningless to have an intricate environment capable of detecting and alerting in the case of potential threats, if there are no processes in place to deal with the threat. As such, it is important that security measures taken are aligned and optimised to meet business and protection needs before it becomes too late.