Technology is now an integral part of an organisation, it’s not only a tool used to help you get things done but is now a ubiquitous part of how you operate, it IS the business now. So, to keep your organisation operating there is nothing more important than making sure your IT systems are available and that your data is protected.
You are most likely thinking “Well my systems are always running, and no one has hacked us” but lying beneath the veneer of system accessibility and safety lies a huge hidden pile of risks, a virtual ticking time bomb just waiting to go off and disrupt your blissful day to day operations.
It is extremely common for organisations to ignore their technology, reject investment to improve systems, push back that latest upgrade to next year’s budget and just get by with that over complicated spreadsheet that runs an important organisational function (and likely contains sensitive data). But all of this comes at a future cost and that future could be sooner than you think.
If you’ve had a major outage that took days or even weeks to restore, lost valuable data and work time or recently had a security breach then I don’t need to sell you on the idea of investing to ensure reliability and security of your technology systems – you certainly already know! For those that haven’t really experienced this impact, let me do my best to assist you into understanding how big the impact can be.
Let’s start simple with a major technology outage. Identify the most important technology system in your business – for a financial firm it could be your trading software, for a government organisation it could be processing payments, for a sales company it could be your phone system. Any system that is vital to your day-to-day function, to generate revenue or operate your organisation.
Now imagine you and your organisation without that system for a day, no trading, no sales calls, no payments processed. Think of a retail store that can’t process transactions or a mine site that can’t process materials. Think about that impact, the lost revenue, the non-productive costs expended, the upset customers, the reputation for dependability on your organisation. And that’s just 1 day! How much damage could your organisation face in just 1 day of a systems outage? Then extrapolate that for a week, the damage would be exponentially greater. And yes, I have seen organisations unable to utilise their technology systems for a week or more and I’ve seen the damage first-hand.
Let’s turn to the security aspect. Imagine the most important and sensitive data your organisation uses every day. Imagine the data your company holds that you haven’t even thought about, staff payroll data, medical records, credit cards, legal agreements, all the often forgotten about documents that are used once and kept for records purposes.
Now take all that data and put it on a public website for everyone to access. How would your staff feel, your customers, your partners, your government? How would you personally feel if your private medical records were out there or every email you ever sent? This leakage of data could be catastrophic for your organisation if it happens. Apart from the obvious reputational damage there would be huge legal costs, security response costs, potential lawsuits, compliance related fines, competitors would know your every secret – effectively this could be an existential threat for your organisation.
Hopefully by now I’ve sufficiently scared you, sorry but from my experience it needs to be done. The “Why would anyone attack us” and the “It can’t be that bad” mentality needs to be sufficiently quashed with reality, as horrible as it may be. But don’t despair because there are measures you can take to significantly reduce the likelihood of reliability and security incidents occurring and they don’t need to be overbearing or overly expensive.
- User Education: One of the most common ways hackers attack your system is through the users of systems. Users have access to data through systems and so attacking a user is a fast track to getting data. There are many online courses available for educating users and it doesn’t need to be an onerous or expensive task. Teaching users about safe computer use, not clicking or responding to strange emails, and not divulging username and passwords to anyone amongst many other lessons. A lot of it may seem common knowledge but a user base is very wide and varied so there may be less technology literate people that may not know – and don’t assume it’s limited to age, I’ve seen plenty of young people accidently do the wrong thing.
2. Security Technology: Investing in the right security technology to prevent and detect security events in your IT environment is critical to maintaining a secure environment. Firewalls protect your internal network from the outside world and scan for activity going both in and out of your network. Endpoint protection software will constantly scan the activity on your computers and servers to detect and prevent any malicious software from running. If you don’t install any other security technology at least do those two.
3. Multi-factor Authentication: Multi-factor authentication is becoming the standard now and you likely have already experienced. This is when you login to an app or website and you are then sent a code to your phone via text message or you have an authenticator app like Microsoft or Google Authenticator where you need approve logins or enter a code. With this enabled even if your credentials are stolen no one can use them unless they have the second piece to authentication which is your phone or authenticator app. Although not a perfect silver bullet, this mostly prevents stolen credentials being used for unauthorised access and theft of data. This should be standard in an organisation now.
4. Encryption: Encryption is about securing data at rest (when sitting on a hard drive) and in transit (when being access or downloaded over a network). When your data is encrypted, it makes it impossible to read unless someone else has the encrypted access key. This means even if they gain copies of your data, it will be worthless. A lot of software now encrypts data by default in the cloud, but this should be confirmed with any cloud provider. Computers with the latest Windows operating systems can have encryption turned on. When visiting sites or accessing corporate files make sure to use a VPN and only access sites that start with HTTPS. This will help to secure data when in transit.
5. Lifecycle Management: Old operating systems and applications are a virtual gold mine of vulnerabilities for a hacker to exploit. When systems become “end of life” the software vendor no longer supports it which means no more updates or patches for security vulnerabilities. This has a twofold effect on both security but also reliability. Older systems are often unsupported and in some cases may not be recoverable in the event of a serious issue. This also applies to hardware such as computers, servers, firewalls and network equipment. Adequately managing the lifecycle (the technical way of saying upgrade before it becomes end of life) of your software and hardware not only mitigates security vulnerabilities but also improves reliability and generally make the users of your IT systems much happier (and productive).
6. Update Management: Even when your hardware and software is “in support” you still need to continually update it with software “patches” that provide functionality improvements, fix reliability issues and secure vulnerabilities. These updates are generally free of charge and have automated systems to do these updates for you reduces the chances of forgetting them or missing some systems.
7. Backups: If your data is corrupted, deleted or encrypted by malware you must have the ability to restore it. The reality is that data is how modern organisations operate, it’s more valuable than gold, and if you lose it not only does it have enormous effects on your operations you may be legally liable for non-compliance with a number of regulations. Backups should encompass taking a copy of all your data on at least a daily basis and storing it externally from your office or cloud environment. In the event of a disaster (such as a building catching fire) you want that data safely backed up elsewhere. You should also monitor backups and test restoring data regularly to ensure your data is being successfully backed.
8. High Availability: This is the practice of having another system ready in standby in case something fails. For cloud-based systems this may be automatic but think about things like your network. If all your traffic goes out of one firewall what happens if you firewall fails or if you have a critical app on a server and the server fails? High availability automatically fails over the system from the failed component to another component in waiting in order to continue operating. Failover can be targeted to only include critical systems, this allows you to save costs but keep critical operations alive.
9. Business Continuity: Even if we put all the best mitigation pieces in place what do we do if there is a disaster or a major outage we just couldn’t prevent? What if we are attacked? A business continuity plan is essentially an operating procedure for the business in case something happens. For example, if corporate email fails can people use their personal email temporarily to communicate, how would that list be accessible? If your trading platform fails, can you do over the phone trades, do you have enough information to even make a trade? This is a business risk that must be considered, regardless of the mitigation activities put in place.
10. Appropriate Resourcing: Under resourced and under skilled, the two most common complaints of any IT team. Relying on a team that is neither adequately, trained or experienced or under such heavy utilisation that they don’t have the appropriate amount of time or energy to devote to security is a very common situation. Make sure IT staff are adequately capable for security management or consider outsourcing some or all to a Managed Security Provider.
11. Managed Security Services (SOC): Consider putting in place a Managed Security Services Provider to monitor and looker after the security of your environment. There’s nothing like a good service provider with deep expertise and capability in security to watch over your IT environment. These services should come attached with a Security Operations Centre (SOC) which monitors your environment 24/7 for security events and alerts security professionals enabling them to take action in real time. Even with all the right security software in place what good is it if no one is responding to the alerts it generates (a very common issue in security related incidents). Look for a reputable provider, check their certifications (ISO 27001 is a common one but check your local government websites for country specific security frameworks) and check their references from other customers.
12. Cheap Outsourcing: I’ve saved the most contentious one for last, but I’ll attempt to choose my words carefully. When outsourcing some or all of your IT you are 100% relying on that provider to handle your most precious asset (data) properly. I’ve lost count the number of times I’ve seen organisations get let down by a bad service provider who simply didn’t do their job properly – security hacks, lost data, lost productivity, compliance failures. IT is an unregulated industry and there is a lot of cowboys unfortunately. Added to this challenge is the temptation to offshore IT to cheaper countries. I don’t want to cast judgement too much here, but it is worth noting that when you offshore you are essentially handing your keys to the kingdom (administrative passwords for example) to people in another country. You may want to consider whether that risk is worth taking for the lower cost (on paper at least) that it offers.
There is a lot to digest there and there are a number of deeper level security topics that I won’t delve into here. The list above is a great starting point and if all you do is that list you are well on the way to mitigating your risk against the most common security and reliability issues.
A great resource for exploring cyber security further is the NIST website which is a site run the by the US government dedicated to providing cybersecurity standards, guidelines and best practices.
The Digital Experience 