So, you think your IT network is secure? Consider that raging against it is a massive number of malevolent, mutating threats being launched millions of times a day at every piece of hardware, network point and service that you, your IT providers and workers own, are you still confident?
The NotPetya havoc of 2017 was triggered by a modest ransomware attack buried in a rarely-used Ukrainian software package. It is the best example yet that an attack on your business can come from anywhere. Did global shipping giant Maersk feel their IT was secure before the attack? Did French materials firm Saint-Gobain worry about ransomware? You can bet that their attitudes have changed dramatically since their IT services were wiped out.
Since those dark days, the threat landscape has moved on, the vectors of attack have evolved and so have the defenses. Yet, with each company stung by an attack, it becomes clear that every business remains at risk. While better security makes for fewer tabloid headlines, it is only a matter for time before the next big tsunami-scale attack hits, and it could take your business with it.
Protecting your business now, tomorrow and next year
In the boardroom, every business should be deeply concerned about security. Hiring experts and deploying the latest services is only part of the solution. To ensure the business and its data, services, hardware and endpoints remain secure, all companies need to align vulnerability management to the wider business strategy.
Tools like Business Model Canvas allow the company to see at a strategic level your whole business model and the interactions between internal, external and partner IT services. This makes it easier to highlight weak points, and to build a strategy where IT services grow to protect legacy, current and future systems against any type of attack.
With this strategy in place, IT workers can use the tool to gain more granular visibility across networks and endpoints. They can expand and adopt tools to protect them, and understand how future changes will require adjustments in the layers of security to keep the business moving forward.
At each point, identify the person responsible for the network, the user devices and the lifeblood data of your business. Ensure they are talking to each other to understand security responsibilities for risk management, especially between offices or partner businesses. The systems are not responsible for data security, it is the people who manage and operate them. They need to be fully aware of the company, legal and reputational risks should something go wrong.
If people refuse to take an interest, perhaps show them the Kaspersky threat map or a similar tool highlighting the blistering amount of live threats whizzing around the world’s networks. A few near misses around your locations or networks should highlight the severity of the matter.
Building a system that is secure, and stays secure
At the operational end, identifying active vulnerabilities and threats is the key day-to-day task of any IT security worker or team. Getting a clean bill of health for the current network is vital for any business that has started taking security more seriously.
Rigorous checks on all systems, PCs, devices, printers and network adapters are required to ensure the business in clean. No matter how small the company or its IT budget, enterprise-class security tools are available to all to scan and protect. Many tools are available, some are more efficient and reliable than others, but using one marks a starting point in the company’s commitment to security.
With so many threats, businesses need layered defenses. You should invest in predictive services that can monitor traffic for specific activity as well as the usual antivirus scanners and firewalls. As your network expands, you need intrusion tools that can monitor your Internet of Things networks, wireless access points and other weak spots.
Once this is done, the likes of penetration testing services can be used to improve IT security. At the individual level, provide user training around what protection tools are in place and how they work to improve awareness and minimize risk. Worker education across the business around malware, scam sites, phishing attacks and other threats will also help protect the business.
The threat landscape for 2019 and beyond
We now live in a world of zero-day attacks, and even reading 10 hours a day, security experts can’t keep up with the endless series of attacks being reported by the security industry. This gives IT bosses a headache when it comes to pointing out the severity of the problems to some board members. To give the CIO and board some insight into how wide the attack landscape is, encourage them to dial into high-level discussions like Brightcove’s Forecast to better understand the issues.
They are responsible for ensuring the business is capable of meeting the challenges of vulnerability alignment, where IT security is fit for the business. As Network World highlights,
Vulnerability risk management remains a top challenge – and priority – for even the most savvy IT organizations. Despite the best detection technologies, they continue to be compromised on a daily basis. Vulnerability scanning provides visibility into potential landmines across the network, but often just results in data tracked in spreadsheets and independent remediation teams scrambling in different directions.
Now consider how the less-savvy organizations are coping with the threats, using out of date tools and limited people and IT resources. These are the businesses that need to adapt fast to keep secure and, while they may have a simpler tech footprint to manage, the risks are just as great.
Whatever the business size, identify what the IT security risks are, secure the endpoints and plan how security will be a key part of the business going forward. While the landscape will be a moving board of threat and counter-threat, ensuring your business has the security to cope will put it on the best operational and legal footing to cope.