In the German business world, emergency preparations were long limited to fire and storm damage. The new IT Security Act changed all that, and forced many businesses to re-think. The law pressed home the understanding that faults, interruptions and outages can have many different causes, thanks to the growth in IT networking: “In addition to natural disasters, power outages or Internet outages, attacks directed against IT systems also pose a risk,” says Felix Freiling, holder of a Chair of Computer Science at Friedrich-Alexander University, specialising in IT security, and joint initiator of a combined work/study programme leading to a Bachelor’s degree in IT security. Generally, he adds, criminals misuse IT resources or steal information. When it comes to attacks against a company’s IT system, a distinction must be made between external and in-house perpetrators. The latter could be disaffected employees or even interns or workers planted deliberately to perform economic espionage. That means a major difference in terms of prevention: “In-house perpetrators can be much more dangerous, since they are already in the system,” notes Freiling. In other words, they have already overcome the initial barriers and may even have access rights to sensitive information. Tighten up: the emergency is already happening.
A formula for risk
Businesses are therefore well advised to ensure precautions are in place. Even so, “The main difficulty often lies in identifying the need for precautions,” says Freiling. “Just like backups, you only need them when a loss has already occurred.” Ideally, therefore, the question of emergency management should go right to the top. But many managers do not know how to identify relevant risks and prepare for the specific emergencies facing their businesses. At an abstract level, the risk is easy to calculate, notes Freiling: “Multiply the probability of access by the extent of the potential losses and you get the risk.” But it is a little more difficult to work out in practice. This is where a risk analysis can be useful, in which you start with your own product or service, to identify the know-how or essential production workflows that need to be protected. Then you know what requires protection, for example designs or maybe software developed in-house. The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) provides support for emergency management with an online course on its own Standard 100-4.
People are the key factor
From practice, Freiling knows that many businesses assume that installing devices or software is enough to enjoy guaranteed security. “But that is not enough,” he warns. “People are the principal means of guaranteeing security.” That is why sizeable companies often maintain a Security Operations Centre (SOC) or have a Computer Emergency Response Team (CERT) in place. These enable security specialists to look after emergency or incident management, to ensure faults do not turn into emergencies. But that comes at a price, since it means maintaining an Incident Management System or Security Information and Event Management (SIEM) in most cases. “You have to be able to afford these systems, in addition to the employees who are engaged solely for IT security purposes,” says Freiling, giving pause for thought. This is something that smaller businesses in particular often simply cannot afford. An alternative is for them to buy in the appropriate services on the market. Many such services are available under the designation Security-as-a-Service (SaaS). This provides access to professionals working with professional tools with which they are experts. “By doing so, however, you are granting access deep into your own systems, which requires a lot of trust,” Freiling notes.
It helps if the service providers are appropriately certified. “You should also ask for customer references,” Freiling recommends. “But you still need your own expertise to be able to select and check the service provider.” There can be huge differences in price, too, since many providers include finely scalable services in their portfolios. Some offer fully automated services that are available at a reasonable price, although there may be some quality limitations.
The risk of forgetfulness
Information and company data can also fall into the wrong hands if laptops and other mobile devices are lost or stolen. But that is something you can protect against fairly easily, assures Freiling. By taking advantage of the opportunities offered by widely used mobile device management (MDM) systems, for example: “For centrally managed devices, you have the option of deleting all their content by remote.” Additional access controls or encrypted hard drives are offer further protection. “The resources that come with the operating systems are often enough,” he recommends, although there are conditions: “For Microsoft Windows you normally need to have Professional licences.” As an alternative, some models of hard drive come with their own encryption.
You will also find news about all aspects of it-sa and the world of IT security in the it-sa Security Newsletter.