For Board Level Execs: An enterprise security strategy in three easy stages – part two
In part one of this blog, we discussed the three questions board level execs should ask of their cyber-security team.
Now, let’s look at those three questions in a little more detail.
This is all about how you stop security breaches in the first place. If we were to take the analogy of a home, this would be about tools such as locks on doors, and the burglar alarm, and policies such as lock up and set your alarm when you go out.
In the enterprise, the prevention tools are:
- Firewalls: If yours is old, time to revisit. In the last five years we’ve seen the firewall evolve to a cleverer more capable version of its older self. Now the device on the edge of your network might also perform the functions that were previously elsewhere, such as intrusion detection, anti-virus duties, and many others.
- Anti-virus systems. Too often we still see partial implementation of this technology. AV needs to be implemented on all relevant platforms, and coupled with an auto-update policy that makes sure all user systems are up to date.
- Access Control systems – these technologies control who is allowed onto the network, interrogating new network clients before they connect, ensuring that they will not compromise security.
- Physical control systems – Locks and access control on server rooms and other sensitive spaces so that only those who need to get to servers can get to servers
- Policy tools – rules about use of the network, such as what people should do when connecting to wireless networks, where they can go, what is acceptable use, etc.
Many businesses based their security around firewalls and anti-virus solutions, and consider themselves covered. Often, these organisations looked at areas such as access control and intrusion detection some years ago, and were put off by (relatively) high prices when those technologies first became mainstream. If that’s you, time to look again. The cost of these solutions is much lower, and the evolving threat means that these elements are essential even in a modest enterprise.
At home this is about your eyes and ears, and burglar alarms or listening services.
Intrusion detection in your network is about having policies and systems that alert you when unusual activity occurs, or when there is a clear attempt to breach security.
Detection systems are looking for unusual activity or traffic patterns, or looking for attempts to break in. They will spot attacks and will raise an alarm accordingly.
Detection systems should also be focused internally. Many security breaches are internal. Allow access to systems on a needs basis, and make sure that internal attempts to crack security are spotted.
If there is a breach, how fast can we fix it?
At home, this is really covered by your alarm response service, your local police force, and then by your insurance policy.
Within the enterprise, this area is covered by the disciplines known as business continuity, and disaster recovery.
Business continuity is about what kind of resilience is built into your systems to allow you to continue to operate in the immediate aftermath of a great disaster. There is no “one size fits all” answer here, but the questions are not technical ones, they are really about business operations.
Disaster recovery is about how fast you can recover to a position where the impact of the incident has been eradicated. In cyber terms, this is about having great, appropriate, and well tested backup solutions. Increasingly this is about off-site, cloud-based, backup services. I can’t emphasise enough the need for testing here. I’ve helped some surprisingly big and well known names recover from data losses that everybody thought would not happen; the systems had been put in place, but not tested regularly, and had slipped.
This should be coupled with regular reviews of policy and strategy for security, and a “what did we learn” review whenever there is an incident.
As we said in part one, there is no perfect solution – security is a constantly moving challenge. However, you can assess your own organisations readiness today by asking those three questions: prevention, detection, and recovery. I bet you’ll be surprised by the answers you get.