A successful IT security strategy : Technology alone is not sufficient

Companies see themselves well prepared against threats from hackers – at least from a technical point of view. This was determined by the Cyber Security Report 2015 from Deutsche Telekom/T-Systems. But are security solutions alone really sufficient for an effective degree of protection? Unfortunately, no – because the biggest vulnerability is not the technology, it’s the human factor. A comprehensive IT security strategy must therefore always consider the organizational factors in addition to the technical aspects.


Greatest risks: “Shadow IT” and careless data handling

The increasing popularity of cloud-based services and the convergence of both professionally and privately used services and devices is fundamentally elevating the complexity of the IT security topic within companies. On the one hand there is a risk of an evolving “shadow IT”: Individual users or departments utilize software without the knowledge of the IT Department. This will continuously increase the task complexity for the security officer to control the proliferation and to ensure the adequate implementation of the security policy. On the other hand, employees often handle sensitive data very carelessly. For example, cloud storage services such as OneDrive, Dropbox and Google Drive are highly popular. A recent study conducted by the cloud security provider Skyhigh Networks analysed the aggregated and anonymized Internet protocols of more than 23 million corporate employees worldwide.

The results show that 15.8 percent of the documents uploaded to cloud services contain confidential information, and often included trade secrets, business plans, personal data, credit card/bank account information and personal details. Many employees also address the assignment of rights topic very carelessly. For 5.4 percent of the shared documents, a simple link was sufficient for the access. 2.7 per cent of these links are even publicly searchable through a search engine. According to the study, every company had more than 1,000 documents in cloud storage services, where sensitive data was unencrypted and filed with a meaningful file name – for example, passwords were stored in a document named “Password.docx”. This makes life very easy for attackers.

The danger originates from the internet

Today, the biggest dangers are lurking on the net. Hackers are able to attack anonymously from any computer from anywhere in the world. The risk of being discovered, is thereby relatively low. Popular attack scenarios are DDOS attacks on web-shops, theft of sensitive data or extortion attempts using crypto Trojan horses. For example, early this year Locky received a high media attention: The malware invaded the computers of victims through an E-Mail attachment, and there it encrypted files covertly. The hackers only released the data again after a ransom was paid.

Today, Trojan attacks can be carried out with relatively little effort. For this, construction kits for malware are already available on the so-called Darknet, which cyber-criminals can use to assemble malware even without any in-depth knowledge of the matter. The primary target is usually the user, because he can be attacked relatively easy. Even today, many employees still carelessly open E-Mails that have been prepared with dangerous malware. These are often undetectable for virus scanners. While technical security systems are becoming harder and harder to crack, criminals are shifting the focus of their efforts to the human factor vulnerability.

Technical measures are the foundation

In order to effectively protect the company, two factors are equally important: a technical security concept and an organizational concept that considers the human factor. The standards of the technical measures include the installation of traditional security systems such as firewalls, virtual firewalls, VPN gateways, intrusion-prevention systems (IPS), anti-bot systems, anti-virus systems, solutions for the detection of shadow IT environments and application control, as well as LAN segmentation and Network Access Control. Security information and Event Management Solutions (SIEM) play a significant role thereby.

They collect security-relevant data and documents, and analyse them almost in real time. This enables the systems to detect whether security-critical actions are being performed, and if necessary initiate the appropriate measures automatically.

A comprehensive protection against cyber threats can never rely on just one technology, but must rather always be designed with a multi-layer concept. A carefully assembled mix of different applications is thereby highly crucial. To provide the adequate protection, all the elements must cooperate flawlessly and well co-ordinated. Because hackers are always discovering new tricks, and their attack methods and utilized options evolve quickly. It is therefore equally important to stay informed about the latest relevant developments. This is becoming an increasingly difficult task for IT teams. They are faced with an ever-increasing range of tasks, but often lack sufficient human or financial resources. The outsourcing to a service provider for Managed Security Services can help to create the necessary security infrastructure.

Organizational security for the “human factor”

Parallel to the technology-based protection, security processes must also be willingly applied throughout the company. This includes raising the employee awareness for security hazards. Many companies don’t have defined IT processes – the know-how regarding how employees should react in case of a fault or attack occurrence is commonly only known by a few specialists. Crucial time could be lost if these individuals are not immediately available. In order to facilitate the organizational IT security, processes should therefore be standardized, simplified and especially documented as far as possible. The aim is to create uniform rules and guidelines for all employees. This also includes work and operational instructions for service providers, or policies for customers and guests.

Another important factor is the development of an Information Security Management System (ISMS). This very technical sounding designation is not yet another software, but a specially aligned package of processes, procedures, rules and responsibilities. It is primarily intended to provide the management with a greater transparency of the IT security environment within the company. An ISMS shows the success of security measures, depicts blocked attacks, identifies existing IT risks, and provides the Executive Board with the respective assessments and recommendations. Because all too often the decision-makers lack the adequate security know-how required to comprehend and drive the necessary measures. An ISMS can help IT departments to receive the clearance for much-needed budgets, and carry out the necessary security projects. However, everything should be governed by an IT Security Policy – a document that specifies the general safety objectives and strategies of the company.

The proper mix is crucial

The IT security landscape is changing at a rapid pace. Hackers are constantly developing new attack methods and discovering new vulnerabilities. Despite all the implemented technology, it should never be forgotten that people make mistakes and therefore represent an easy target. Only a multi-layered approach that includes both a carefully coordinated mix of technologies and extensive organizational measures can successfully counteract the attacks and vulnerabilities. There will never be a hundred percent protection against cyber threats. But the inevitable residual risks can be reduced to an economically acceptable level with a comprehensive security strategy.

Olaf NIEMEITZ, Managing Director, Crocodial IT Security (Axians Germany)

Related solutions

Want to learn more about our solutions ?