Proper IT security management is becoming increasingly important – because cybercrime is increasing. But many companies still have serious corporate security shortcomings. Find out what steps you can take with your company to improve IT security and what you can learn from it.
IT security management with deficits
WannaCry, Petya, WPA2 Krack – the danger of becoming the victim of a cyber attack has never been greater than last year. In fact, in 2016 , the UK National Crime Unit found out that cybercrime in is now far in excess of ordinary crime. Also, the numbers of the Federal Criminal Police Offices how that in this country the number of cyber attacks doubled from 2015 to 2016. The main reason for this is that the attackers are getting smarter, while companies often continue to rely on outdated systems and technologies. And these are exactly what cybercriminals are looking for. They are the gateway for attacks that cause millions of dollars in the worst case.
The “nothing will happen to us” mentality
But even a “nothing will happen to us” mentality is one of the biggest problems with the question of the right IT security measures in companies. Of course, the responsibility for safety management lies primarily with the managing directors and – if available – the technical manager. But all other employees must be informed about the growing threat of cybercrime and trained accordingly. In general, the human factor is always the weakest link in the safety chain. But there are other factors that play an important role in the right security management plan. This is shown by a report published by the British telecommunications company BT. The report is based on the experiences of both companies that they experience in their daily business with clients and other companies.
What is IT security management?
Basically, the term IT security management according to Wikipedia definition refers to all ongoing processes within a company, which ensure IT security. In particular, they should prevent or ward off cyber attacks and threats to data protection. For the introduction of IT security management, companies have various standards that define best practices and action to be taken. These include, for example, the IT Baseline Protection Catalogs of the Federal Office for Information Security (BSI) or the ISO-IEC-27001 standard.
This is where IT security management fails
The already mentioned “We will not hurt” mentality is one of the biggest problems in developing a functioning corporate security. According to a report small and medium-sized enterprises, in particular, think they are immune to targeted cyber attacks. Another factor is the fact that the term cybercrime is still very abstract for many companies and not everyone understands the technology behind it in every detail.
It is also problematic that we all too often carelessly deal with our data and user behavior in the network and thus promote cybercrime. Basically, one should always assume that nobody is invulnerable to cyber attacks. But how can you better protect yourself from attacks? And what else can you do to improve Internet security in your company?
The 5 steps on the way to better IT security management
Companies usually go through five stages on the way to better IT security management:
- False self-esteem
- Pay apprenticeship
- True leadership
They all are present in companies with different challenges, but coping with them can ultimately be crucial in protecting against cyber attacks. In the following, we summarize the individual stages in a clear manner.
Level 1: rejection
In the first stage, rejection, the opinion of many CEOs that their company is resistant to cyber attacks plays a major role. In fact, all companies today are exposed to low-level attacks – regardless of industry, the number of employees or location. If you look back on cyber security timeline, you see that especially ransomware like WannaCry or its successor Petya have made headlines. That these attacks were so successful is also due to the fact that companies do not protect themselves sufficiently and sometimes use extremely outdated and no longer supported software.
Often it fails so here already on the basics. The report, therefore, recommends that you first take care of the basics of IT security. This means:
- Set up firewalls and anti-virus software and update regularly
- On adequate password security eighth
- Create backups
- Make sure that every employee in the company is aware of the danger of cybercrime
- Overview of all user accounts used software and their timeliness and document accordingly
Stage 2: Concern
As a result of Level 1, many companies are investing in better security measures, that is, better hardware and software, or standards and policies that regulate investment. But the problem remains the same: it’s usually not the existing system that provides a gateway for cyber-attacks, but it’s the people who are the weakest link in the computer security chain. BT and KPMG report, “It’s just as dangerous to rely on the process as relying on technology. This creates an environment where policies and test seals are king and safety is just a disgusting compulsory exercise. “It’s just as dangerous to depend on the process as it is to depend on technology.” becomes the king.
It, therefore, makes sense not to start directly with the investment in new technology. Instead, you should first review the status quo of enterprise security. Likewise, it is important not to focus only on a subset of security measures. For this purpose, it should be prioritized which measures really and economically make sense. Likewise, usable business solutions are important: it does not benefit anyone if one buys high-end technology that cannot serve anybody in the end.
Level 3: False self-esteem
Of course, nothing speaks against investing in better hardware and software. However, you should keep in mind that these systems also require regular maintenance. It is not enough just to invest in new security technologies if they are not updated regularly. Often, existing security policies are outdated and may not even fit the current corporate strategy – true to the motto: Do not change a running system.
At this level, companies like to weigh themselves in false self-confidence. It is therefore important to make sure that you have considered all possible scenarios. For this purpose, a process should be set up which regularly reviews the cyber security strategy and the underlying policy. If it is found that the policy no longer fits the needs and requirements of the company, it must be changed. As a first step, the available standards (such as the ISO 27001 standard or the IT policy catalogs mentioned above) can be used. Only then should the investment in new system components be implemented. Support can be provided either by security specialists working directly in the company or by external security service providers.
Level 4: Pay apprenticeship
For many companies, the day comes when they face a cyber attack. Such cyber attacks force companies not only to think through potential attack scenarios, but also to have an answer to the attack. For this, understanding the security architecture is immensely important. This includes answering the following questions:
- How do all these devices and the software work together?
- How do you react to common attacks?
- Where are there overlaps or gaps?
It is also important to deploy new IT security measures as quickly as possible so that they are not outdated when they are finally used. Of course, this is associated with some effort, and not every company can do this work itself. At this point, it makes sense to resort to expert advice. You need help or want to get advice on IT security? Then Contact Bleuwire™ one of the best IT service providers.
Level 5: True Leadership
Companies that have reached the level of “true leadership” think differently about corporate security. They no longer just view IT security management as a checkbox that should be ticked off in the annual corporate report. These “true leaders” also recognize that they are part of a community that faces the growing number of cyber attacks. The problem is that very few companies talk about the experience after a recent cyber attack. Only by the announcement of the attack, such as the Federal Criminal Police Office, other companies can be warned by the authorities and the success of cybercriminals are reduced.
A community only works through mutual taking and giving. The report, therefore, recommends building a network of trusted sources that work together to curb cyber-attacks. For this, IT security management should be made a constant issue, treated like any other business decision.
IT Security Management: From Rejection to True Leader
Cybersecurity is a hot topic that companies need to pay more attention to. As the report by BT and KPMG shows, many companies are going through five stages on the way to better corporate security: from disapproval to worry, false self-esteem, paid lessons, and true leadership.
Do you need an IT security concept that perfectly fits your requirements? Then Contact Bleuwire™. No matter if anti-virus or firewall management, they handle all the IT security tasks in your company.