It can sometimes feel like your company is more exposed than ever, but reducing this is a matter of knowing what to prioritise.
If anything, security is a multi-pronged approach. You can’t assume that one piece of technology or process will keep you safe from threats. In fact, businesses now have more things to take into consideration than ever before.
There are three issues in particular that stand out for Nikos Vasileiadis, IT security officer at Ergo: automated tools, how connected devices are, and companies’ perception of threat.
“[The first] is automated tools which make it easier to attack,” he says. "Botnets have become really cheap so you can rent one for a few dollars [to attack for a couple of hours]. There are a few DDOS services over the internet and you can rent those services and bring down a competitor's website, and it's really cheap.”
“Almost every device right now is connected to the internet in some way, so that's another threat factor. Anything can be hacked and used as a botnet, and it's almost every device you can imagine.”
For the third point, detection and being proactively neutering threats are becoming more important as time goes on. With the rate of attack speeding up, there isn’t much space to be lackadaisical about it.
“Companies themselves either don't identify the risks, or they identified ones but they don't know what to connect and there is no clear plan of action here,” says Vasileiadis. “If they’re hit without realising it, within this time, their company’s intellectual property might be gone, there could be financial damage, legal damage, anything can happen within those few days, until you identify what really happened.”
Vasileiadis advises businesses to take a couple of steps. The first is to identify the risk: if you know what you’re dealing with and can deal with them from most urgent to least, you’ll be in a much better position than most.
Once that is done, he then advises businesses to qualify the potential exposure if something was to be exploited. For example, if your firewall is breached, that might mean your intellectual property is at risk, which will cost you a significant amount of money.
Doing this will put you in a better position to tackle the problem and figure out the best approach to take.
“If you do that, then the course of action is pretty clear,” Vasileiadis explains. "You will implement countermeasures and, if not, accept the risks. [Ask yourself] what your potential exposure is and what could cost you, if the damage in the long term is way more than you would expect.”
Tying in with that process are the security controls needed to keep on top of things. It’s very easy for something like malware or a data leak to create major problems and if you don’t have the right controls in place, such problems can spread faster and further than you might even anticipate.
As Vasileiadis mentioned earlier, more and more devices are connected to the internet and if you take the average business, that means there are significant numbers of entry points – devices, platforms, apps, websites, servers and services – that have access to a business at any one time.
Security controls can at least help you keep a lid on things. One of the best ways is to take a certified security standard and incorporate it into your own business.
All businesses are different, but that doesn’t mean you shouldn’t look at them. Vasileiadis says that even if they aren’t a perfect fit, there will still be elements from them that you can incorporate into your own business and start meeting security standards.
“What I always advise companies to do is just pick up a framework. There are quite a few standards and frameworks out there like ISO 27001, and the Information Security forum,” he says.
“All of those have some guidelines, some rules, some processes, so any company can pick up a framework that is most relevant to what they’re doing.
“Each framework has its own unique set of rules like anti-malware for sorting out all the devices or making sure that there's a security hardening (the process of securing a system by removing as many vulnerabilities as possible) in all our servers. You get something tangible if you know your targets.
“No framework will ever eliminate the risk, but at least you can bring the risk down to an acceptable level and that's a huge point.”
No matter what time it is, businesses will continue to face multiple threats from different places. Keeping up by implementing the measures needed can feel like a relentles task, but what Vasileiadis
advises is that both internal and external teams will need a framework to follow.
If you’re getting outside help, be aware that their perspective will be different than whoever is on your internal team. That can be a benefit, as both external and internal teams can compare and contrast notes, and may spot things the other team might not have realised.
More and more, we have been hearing about companies who are not yet fully compliant with GDPR. In the latest...Read now
Security architecture refers to a unified security design that addresses requirements and potential risks involved in a certain scenario or...Read now