Top Tips: How to get the basic security measures right

Top tips on getting the basic security measures right to reduce the potential risk.

[image_library_tag da88445e-e157-4615-bc6c-8c96d30f9f54 161x225 alt="03-06-2015-how-to-get-the-basic-security-measures-right" title="03-06-2015-how-to-get-the-basic-security-measures-right" width="161" height="225"class="left "]Garry Sidaway is the SVP, Security Strategy at NTT Com Security, and is a respected thought leader on security issues affecting business growth and development. With over 20 years’ experience in the IT industry, Garry’s focus is on meeting business needs through the development of managed security services, business infrastructure, consulting and technology integration solutions worldwide.

Garry has also worked across a wide range of industries, giving him a unique insight into business risks and information security. Previously, Garry has been involved in information security at Axent Technologies, and as a lead software engineer at Racal Defence Systems, he developed key software solutions for the military.

Garry shares his top tips on getting the basic security measures right to reduce the potential risk.

A week doesn’t go by without us hearing about a security breach. In 2014, we saw Adobe, Target, eBay and DropBox fall victim to cyber-attacks and the Heartbleed bug affected the majority of organisations across the globe.

Attacks are getting more advanced and attackers are getting smarter, making every organisation immune from safety. Some vendors and analysts believe it’s now a case of when, not if, your company will be hit. 

The problem is that enterprises are not doing enough to protect their data in the event of an incident. In fact, many are falling behind with the basic controls required to provide a solid foundation for security programmes. 

If we all know that threats are constantly changing, why aren’t businesses more proactive? Implementing the basic controls will enable organisations to better detect a breach as well as minimise the risk of future exposure.

We will never be able to have 100% security, but we need to put risk in context to ensure that we protect the critical assets. Here are five ways to get the basic security measures right:

Assess the baseline - Getting the basics right is essential to ensure a comprehensive and scalable security posture for your organisation. With an increasing array of technology assets employed to protect the organisation, it is crucial that each one fits into a comprehensive enterprise security architecture and to ensure efficiency in reducing potential threats and vulnerabilities.

Performing a baseline assessment will ensure the correct security foundations are in place to help you get the best from your security investments. Whether you want to evaluate the effectiveness of current deployments or set regular checks for ongoing performance, a baseline assessment provides the information needed to get the most out of your information security assets.

These assessments can focus on key aspects of information security, from firewall configuration right through to secure authentication.

Scan the environment - One of the most important basic practices is vulnerability scanning, where a security assessment is conducted to scan the customer’s environment. These tests are highly automated and there are several tools that can be used to find services, OS patch level, application patch level and the vulnerabilities they expose. Intelligence of this kind is invaluable as it offers insight into how real attackers could use vulnerability information to gain access to data assets. But running a vulnerability scan on its own is not enough, the results should be analysed and assessed against your critical assets.  This approach ensures that risks are put in context and valuable resources are focused on mitigating the right risk.

With the regularity of vulnerabilities increasing, every IT department should also analyse and correlate logs across not only their security devices, but also their critical business systems. Routinely checking and correlating logs gives firms the ability to access greater threat intelligence to learn from as well as identify statistics and trends over a period of time to predict future risks.

Plan for a breach - Incident response plans are critical for minimising the impact of a breach. Complex threats such as APT (Advanced Persistent Threats) are difficult and time-consuming to unpick and may require specialist knowledge and resources to comprehensively resolve. By having a well-defined plan, and recognising that security incidents will happen, organisations will be better prepared to handle incidents in an effective and consistent way.

Essential to every business with intellectual property, an incident response plan is a formal process that defines an incident and provides step-by-step guidance on how to handle a future attack. In order to limit damage and reduce recovery time and cost, it needs to be kept up-to-date and then shared among relevant personnel. Tests should also be performed regularly to ensure people understand their roles and responsibilities.

Collaborate with a trusted partner - Working with a trusted provider can help you implement these basic security measures. The good news is that more businesses are starting to collaborate with Managed Security Services (MSS) partners to access intelligent information for active threat management. An MSS partner, which typically has access to collective global knowledge and systems, provides visibility and control to manage information security risk – and therefore is able to actively notify customers about potential threats and proactively mitigate them. Most companies have applications that they don’t want to touch and can’t lockdown roles and responsibilities. Collaboration will allow businesses to actively manage the threat before it impacts them.

Support the basics - Cybersecurity threats are actively working against the organisation’s infrastructure, applications, information and people. To face this change in the threat landscape, businesses need to ensure regular operations are performed and controls are tested on a regular basis.

Support the basics, as outlined above, with APT simulation where you follow the steps that attackers would take when profiling an organisation to try and breach its defences. In simulating an attack, you can consciously manage risk.

Governance, Risk and Compliance (GRC) also plays an important role in an organisation’s continuous risk management approach. Businesses need visibility and alignment in these areas in order to deliver effective policies, procedures and security controls as part of continuous risk management.

If your business processes card payments, for example, implement PCI DSS scanning. Recommended by the PCI Security Council, it will reduce your vulnerability footprint and remediation will be faster than organisations that don’t regularly scan. It can be clearly demonstrated that this has a positive impact on risk. Whilst it should not be seen as a tick box exercise, following good practice and regularly testing does reduce your overall risk.

It's time to get the security measures right

Sound knowledge of security and risk management should now be at the top of every organisation’s priory list. The onus is on the IT department to get the basics right if they are to protect their business against real world threats.

Crucially, in order to face the constant change in the threat landscape, organisational security must evolve to include fast, nimble and active responses. It’s evident that implementing the basic security measures will minimise the impact and cost of an incident and protect a company’s data.

When the basics of security – threat avoidance, threat detection and incident response – are done right, and with the support from a trusted provider, they can be enough to mitigate and even help avoid high-profile security and data breaches. After all, if it is your company that is targeted, you will want to see the fastest and most efficient return to business as usual.