With the pace of digital transformation accelerating, companies must act now to secure their information management systems. But too many organisations have delayed investing in a detailed security system, leaving them vulnerable to attack. Everyone’s business is now automated, digitised and online, bringing advantages of speed and cost, but introducing a host of potential vulnerabilities. Fortunately, establishing an efficient information security management system (ISMS) will go a long way to mitigating the dangers.
The main issue in the age of digital transformation is data protection, especially against cyber criminals. Tele-communications giant Verizon conducted research into the greatest security dangers facing companies, and concluded that it was from hacking, which contributes 40% of data breaches, and malware, which causes another 30%. One spectacular example was last summer’s massive cyber attack on shipping container giant Maersk in the port of Los Angeles. With computers and servers shut down, workers were forced to improvise using Twitter, Whats-App and Post-It notes. The Petya ransomware attack cost Maersk US$300 million and disrupted operations for two weeks, demonstrating that even global companies are vulnerable to attack.
“As villains create new threats, new tools are needed.“
Technology is a world that never stands still and, unfortunately, that applies to the criminals too. That means that businesses can never rest on their laurels when it comes to ensuring that they have all of the latest tools and systems to keep their data secure at all times, regardless of what is thrown their way.
A well-designed information security management system (ISMS) will increase a company’s resilience to cyber attacks. But it’s not just a question of plugging in security technologies, then going to sleep. Creating the right ISMS requires a lot of thought before selecting a policy framework and relevant technologies. Companies need to do a risk assessment that identifies key vulnerabilities and then assess their business position to determine what their budget is. They will have to decide whether existing personnel have the technical capabilities, or whether they need to recruit, then set short- and long-term goals. Security risks change rapidly and ISMS systems have to evolve to deal with new threats. Businesses should seek guidance for their risk analysis from the multiple standards available, including COBIT, International Organization for Standardization (ISO) 27000 series and US National Institute of Standards and Technology (NIST) 800 series.
An ISMS framework will take account of the fact that most cybersecurity incidents are caused by the lack of awareness of the victims, who fall prey to the cybercriminal traps. A high-profile example was the massive security breach last year at credit reporting agency Equifax, which leaked the data of more than 147 million consumers. The company’s CEO attributed the lapse to human error. It’s clear that technology is needed to reduce the risk of human error as much as possible, even if it can almost never be completely eliminated. Cybersecurity training programmes are essential to explain to employees how minor mistakes could have catastrophic consequences. There’s also a human cost to making avoidable errors. No one wants to have to sack staff when they fall victim to a phishing campaign, or social engineering attack.
Another important issue in setting up an information security system is determining how to sort out all the data that floods in from security devices, such as firewalls, proxy servers, intrusion-detection systems and antivirus software. The IT team can quickly be overwhelmed because installing a better security system will increase rather than reduce alarm data. Companies ought to consider installing a SIM (security information management) technology that logs and sorts the data recorded by other pieces of software.
Larger organisations began using SIM systems a decade ago, but the market has boomed and they are now integral to security at many small-to-midsize businesses. Instead of IT security teams manually sorting reams of data, the SIM toolkit automates the process and normalises the data. It can translate Cisco, Microsoft, or CheckPoint software alerts into a common language. Many SIM suites include multiple applications to address different issues.
When deciding which SIM system to purchase, businesses need to consider the level of risk they face and whether it has the capacities they require. It needs to be scalable, so it logs information from hundreds, or even thousands, of devices in real time. It needs to cope with what Symantec calls “blended threats”, which could combine the characteristics of viruses, Trojan Horses and malicious code. Some businesses will want active response capability, meaning the SIM system takes immediate action based on the data. This option always needs careful installation to avoid unnecessary shutdowns of servers and blocked traffic if staff make innocent mistakes. Care has to be taken as well to negotiate interdepartmental politics. SIM requires complex integration and there might be delays as each department works out suitable access privileges.
Once the system is designed and installed, that’s not an end to the process. The organisation needs to set KPIs to monitor its effectiveness, then review major breaches. Bad actors are continually exploiting new technologies and vulnerabilities, and it will be essential to constantly deploy new tools, skills and procedures to counter them. Fortunately, technology companies are moving as fast as the criminals and all the tools are available to implement a strong and secure system.