We do really need to think about security. Properly.

I have just returned from an IT directors forum (conveniently held on a cruise ship) where I had the pleasure of meeting many IT security experts and sharing their thoughts and experience.

The frequency, complexity and skills involved in cyber attacks is increasingly exponentially. And, these attacks are becoming more and more targeted i.e. criminals are specifically choosing you, learning about you, then crafting specific methods to steal your data.

You need to think carefully about this. The people I spoke to over the last few days talk ‘when’, not ‘if’. Their opinion is that it will, without doubt, happen to you.

So what can be done about this? Some people say ‘nothing’ – if a determined hacker wants you, they will get you. Obviously they are not suggesting you don’t do anything, but you have to consider this when designing your systems and processes.

The first stage is that you need to understand the information you have and how important it is. What is the impact if someone does steal it. The best principles are to put your assets in bubbles of criticality, allowing you to better protect the parts which really matter. Then work out how that information enters and leaves that bubble. You may have one bubble inside another.

Protecting just at the perimeter is not the solution. You are far more likely to have a data breach from an insider, than an external attacker.

I feel that all the talks I have been to are mostly intended for larger businesses. However SMEs now really have to starting thinking about this too. It can be difficult to set aside the time to think about this, and even harder to start implementing changes.

There was once a day when people thought their system was secure because they enabled password expiry every 90 days. Even this seemed painful to users.

There are no simple answers unfortunately, and you have to think through your entire plan top to bottom. However some pointers to think about:

  1. Patch your servers. Regularly. Always.
  2. Segment your network. Does you HR database need to be on the same LAN as all your users? So isolate it, along with the people that need access to it.
  3. Think about your access permissions to your files. It may be easy to give access for everyone to everything, but they don’t need it. A malicious piece of code assuming the identity of a compromised account with glad take everything it can.
  4. Take away all those Administrator rights. If you need admin rights, setup a different account and use it only when you need to.
  5. Take away those admin rights from services too. Use dedicated service accounts for everything. Too many times I see a SQL server running as the domain administrator. It dosent need it. Everything should have separate accounts.
  6. Vet your staff. And make sure they are happy.
  7. Don’t leave easy workarounds in important processes. If staff circumvent it, an attacker certainly will.
  8. Take the quick wins – eg disk encryption (BitLocker is great!), think about removable media too though (again BitLocker can really help here)

The next interesting thing I learnt about is crisis management. Hell, if they say your data will get stolen, you may as well prepare to deal with the crisis when it happens (assuming you know you’ve been breached, it’s more than likely you won’t even know).

Some things I took away from it were:

  1. Train your staff. Make sure a consistent message is portrayed to customers (or journalists).
  2. This will no longer be IT’s problem, they won’t be able to fix this for you
  3. Respond fast – really fast. Seconds matter now. Social networking allows people to talk about you very effectively, a message will travel so fast, make sure it’s the right message. Oh and be humble and concise too.

Getting all this right takes time. Many people I know are looking to ISO27001, which is a good thing. But it’s tricky to do, time consuming and can be expensive. However, what I am also finding is that customers are now expecting it and requiring it. Especially if you a collaborating with someone else who is certified, customers will expect the whole chain to be certified.

So start thinking about IT security now and start making changes. This will forever be an evolving landscape – you won’t be able to fix it, it’s a constant battle you need to fight and be ready for every day.

Some other points that were brought up in the event, some I found amusing, but actually valid and thought provoking:

  1. Bugs – they can be bought really cheaply now. What’s inside that new plant pot that you received from a random person. What have you been discussing near it recently?
  2. ‘I only manufacture toilet rolls, why would anyone be bothered with me?’. I presume you have competitors? What if they knew all your cost prices and supply details you have with your customer. Wondering why you’re losing out on a load of deals? Maybe they know what you are offering. What if your complete accounts were published online.
  3. Would your staff be pleased if all their personal details and salaries were published on a website – it’s all inside that simple old payroll system!