An important topic in business management, information security has become an increasingly significant issue for companies, especially in the IT sector. Actions against digital attacks must be strategic to ensure that the organization’s sensitive dataset is secure.
The big concern is that any flaws found in IT networks and systems could pave the way for bigger problems. As an example, in 2015, such an error exposed 4 million US federal employees. This shows that large corporations and even government agencies are susceptible to cyberattacks and security breaches.
Small and medium-sized businesses can also lose their data to cybercriminals, mainly due to the greater vulnerability of their systems. Therefore, it is essential that managers understand the importance of the subject, as well as all the points, techniques and information involved to improve business protections.
In this article, we will show you how to increase digital security in companies. For this, it is necessary to understand the concept, its principles and importance, the legal penalties involved, and the value of the investment. In addition, it is essential to verify the need to hire specialized companies and know what to evaluate at this time.
What is information security & cybersecurity?
The IT depart of each company works with different types of technologies in data management and storage. Much of the information is confidential and needs to be protected by digital security policies. These guidelines determine the most effective strategies and procedures for data processing.
There are several concepts regarding the area of InfoSec (Information Security), but we will use this one: information security comprises a set of practices, resources, systems, skills and mechanisms used to protect any and all types of company data and systems against criminal attacks, unauthorized user access, and misuse of organization information. These techniques also aim to prevent data hijacking or loss.
But what’s the difference between information security and cybersecurity?
a. Information security
The term ‘information security’ is defined as protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.
It is necessary to understand that information security is considered a part of the InfoSec area. In this case, data does not need to be present on a computer or on the internet to request a digital or information security system. Even if they’re on a USB stick, once the device connects to the company, they’ll need to go through a strong information security framework.
Cybersecurity is the practice of deploying people, policies, processes and technologies to protect organizations, their critical systems and sensitive information from digital attacks. If someone on the other side of the world manages to break into a company’s network and breach its system, that company needs better cybersecurity.
Did you notice the difference between cybersecurity and information security? Although many people still consider them the same, they are very different, especially in the technical approach in which they are treated and corrected. Their capabilities are also different. Both protect against stolen, accessed, or altered information and data, but the similarities end there.
Cybersecurity deals with the protection of data and information from external sources, coming exclusively from the internet. Based on this information, we came to this conclusion: not all information security involves cybersecurity, but all cybersecurity involves information security.
Having these premises defined, we’ve listed best practices that the InfoSec area needs to carry out:
- Prevent and combat cyberattacks
- Identify and recover vulnerabilities in IT systems
- Protect data stored virtually
- Determine rules for information management
- Control user access to corporate data
In this way, digital security includes not only the data itself and its storage media, but also the coordination of user systems. This means that it is not restricted to the IT structure and its components, as we will see later.
It is important to understand that any organization is capable of achieving a 100% control level of information security threats. One of the main reasons is the constant innovation and evolution of hardware and software.
Gartner experts estimate that cybersecurity transformations will demand new types of strategies and skills to overcome attacks. In addition, they warn about the impossibility of containing all threats equally – therefore, it is necessary to prioritize what is most important at the moment.
According to experts in this area, investments in information security should be equally divided between prevention and problem location. While it is not possible to avoid all attacks, it is important to know how to overcome and resolve them as quickly as possible.
What are the components of information security?
This context involves all company resources in some way. Among them, we can mention computers, software, hardware, networks and even employees. Each of these elements play an important role when it comes to data protection.
Machines are the main forms of data control in companies. Through them, information is created, stored or modified. Therefore, it is very important that they are adequately protected from threats. Specific software and hardware may be used for this purpose.
The main software that used to ensure information security are developed to act as:
- Anti Ransomware
Overall, they help filter content and recognize potential threats to data integrity. The features make it impossible for attackers to find and take advantage of any server vulnerability that could trigger an attack.
When we talk about hardware and information security, the firewall is a company’s main ally. It can also be found in the form of software — both with similar purposes.
As a hardware, the firewall offers a series of specific functionalities, which provide a better system management. In addition, the processing power of this hardware is superior to that of the software.
It is essential that the entire company’s team is aware of the security rules, to avoid failures that become gateways for cybercriminals. The reason for this caution is that when a person violates the rules, they open a breach in protection and compromise the entire network.
There are also professionals who work directly in the management and execution of information security routines and activities. These people can be hired by the company or be part of the team of outsourced partner organizations.
In general, engineers and security analysts are responsible for developing and planning best practices for protecting company data. Security technicians, on the other hand, must implement and execute the programmed actions.
The work also includes managers, who are in charge of disseminating and multiplying surveillance practices throughout the organization, so that they are rigorously complied.
Why is digital security so important?
Security threats arise at almost the same rate as innovations come to market. And business leaders, busier than ever expanding and innovating their businesses, often ignore the importance of security needs. A serious oversight—or short-term savings attempt—that exposes the entire company to attack.
Leaders must never forget that information, whether digitized or not, is at the heart of any organization, whether it be business records, personal data or intellectual property. They can be kept in many places and accessed in different ways.
It is crucial to innovate, transform and start disruptive processes, but just as important is defending and protecting the organization’s data. We often hear stories of computers and networks being hacked and that this leads to massive amounts of money being lost or confidential data falling into the wrong hands — often sold on the dark web.
These illicit acts caused some companies to stop their operations for several reasons, such as:
- Loss of capital, caused by some invasion
- Ransomware, that is, systems and data that are unavailable and only released by cybercriminals after payment for the hijacking
- Brand weakening once intrusion information leaks to customers
- Customer processes, upon discovering that their personal data or information about a highly confidential new product has been invaded
No matter how big or small a company may be, it is vitally important to ensure information security, both for operational and customer data.
Careful planning, implementation, monitoring, and maintenance with strict controls and procedures are necessary to protect all assets—especially data—an extremely valuable asset to any organization.
Information security in business
The issue of security in data collection, treatment and disposal processes is more serious than one might imagine. A survey by the University of Maryland, United States, concluded that, on average, hackers attack every 39 seconds. That is, while you are reading this topic, it is quite likely that at least one hacker has tried to circumvent your virtual defenses.
These are reasons that justify investing in information security that can not only protect your data but also protect your online transactions. After all, attacks are not free and, in general, malicious hackers seek to profit from their actions.
What is information security & cybersecurity?
Information leakage is a real and growing problem. Every month, news about leaks of confidential information becomes public. These are the known cases, that is, those that have a visible impact.
But there are even more similar incidents taking place on a daily basis, and the vast majority of information leaks are accidental: they are not just the result of malicious actions. Unintentional data loss is perhaps the most dangerous, because those affected are not necessarily aware of or able to act on the problem.
The loss of information can represent a very high cost to organizations. This failure generates direct and indirect costs: the intellectual property or industrial information itself, in addition to the cost of dealing with the consequences of the loss. Indirect losses include loss of credibility, loss of competitive advantage and regulatory transgressions.
Is it possible to change employee culture?
The increasing risks of information leakage are often triggered by corporate scandals in which sensitive information is released. As most of these cases demonstrate, breaches do not result from malicious wrongdoing, but from employee attitudes, which inadvertently put their companies at risk.
This can happen, for example, when employees send email messages with files or content that they don’t know are confidential. Another example is employees who deliver private company files to some external email or copy them to mobile devices and, consequently, expose internal information in untrusted environments.
In addition to implementing safety mechanisms, it is crucial to train and educate staff in order to change the culture of the entire company so that everyone does their part – which involves ethics and moral integrity.
And as for the new laws, are we protected or will we be penalized in cases of negligence?
In an attempt to standardize the rules, mitigate security and privacy issues and reach a consensus, Europe launched the GDPR law – General Data Protection Regulation -, making it mandatory worldwide since May 2018.
So, if you have an e-commerce outlet and sell to any country in the European Union, your business needs to be GDPR compliant. The penalties foreseen for the GDPR will reach 20 million euros or 4% of the company’s annual gross revenue (paid to the Government), with restriction of rights and payment of indemnities (paid to the injured person).
In Brazil, the General Personal Data Protection Law (LGPD), enacted on August 14, 2018, was inspired by the GDPR. It provides for compliance and establishes a framework for adopting best practices, privacy, governance, and rapid resolution of digital security issues.
What are the benefits of investing in information security?
According to the IBM 2020 Cost of a Data Breach Report, information security breaches cost companies $3.86 million. Here, then, is the first benefit of investing in systems and defenses that protect data: the economy.
Not least, companies that keep their customers’ critical and personal data safe are less at risk of image damage. In this aspect, it must be considered that credibility is something difficult to conquer and that, once lost, it is difficult to recover.
A good example of this is the sports brand Under Armor. In 2018, they suffered an attack that resulted in the passwords of 150 million users of the MyFitnessPal app being leaked. In the second half, the company reported a loss of US$ 125.8 million, ten times more than a year earlier.
Not to mention non-material damage and loss of trust, which are much more difficult to account for. So, it is very prudent to consider investing in information security. Below are some of the benefits related with this practice!
1. Prevents DDoS attacks
Known as Distributed Denial of Service (DDoS) attacks, they are particularly dangerous because, in them, attackers make it impossible to access the attacked systems. They do this by a variety of techniques creating an overload on traffic, making any kind of operation in an online system unfeasible.
The challenge is to anticipate this type of attack, which never happens the same way. This unpredictability makes information security have to redouble their efforts to predict failures and implement secure access protocols.
In this way, any investment made to prevent DDoS attacks will always be welcome, given its very high potential to cause damage.
2. Protects against Ransomware attacks
Ransomware-type attacks are a kind of virtual hijacking. The difference here is that rather than people, cybercrime targets data, which is accessed and encrypted without authorization. As a result, people duly authorized to access them lose their credentials, for which a ransom is charged.
By protecting your company from this type of attack, you also prevent yourself from major losses. That’s because according to a survey by Safety Detectives, it is estimated that the costs of this type of cybercrime, in 2021, will reach an impressive US$ 20 billion.
3. Ensures blockchain security
Although it is considered a secure environment, the blockchain also serves as a target for possible attacks. In them, attackers are targeting cryptocurrencies, which generated, in 2017, a loss equivalent to US$ 2 billion, according to Brazilian magazine Época.
Considering that not only individuals but also companies are increasing investments into this financial asset, it is worth paying attention to measures that protect them from cyberattacks. There are even software and resources developed exclusively for data protection in this environment, such as Kaspersky’s.
4. Complies with GDPR
Finally, as an added benefit, by investing in information security your company guarantees that it will comply with recent General Data Protection Regulation (GDPR). In addition to ensuring reliable transactions and the correct treatment of your customers’ data, you also avoid financial losses.
After all, the law provides heavy penalties for those who do not comply, fines that can reach 2% of annual revenue. It should be noted that these fines will only be effective from August 2021, so the sooner you invest, the more time you will have to adjust your processes based on the new law.
What are the principles of digital security?
With all the difficulties and precautions presented, the teams responsible for digital security face several challenges on a daily basis. They must quickly adapt to the new conditions necessary for business continuity and, at the same time, they must be prepared to face increasing problems in a hostile environment.
Professionals in the area must learn to work with the main and most modern technological trends, as they are thus able to maintain the protection of the entire corporate system.
To facilitate the process, here are some pillars that define how companies can ensure their professionals meet compliance standards:
- Confidentiality: The principle of confidentiality defines that information can only be accessed and updated by people with authorization and accreditation to do so. Thus, it is important that companies have information technology resources capable of preventing unauthorized users from accessing confidential data — either maliciously or by mistake.
- Reliability: This foundation attests to the credibility of your information. This feature is highly important as it guarantees the users as to the quality of data with which they will work.
- Integrity: Integrity ensures that information will not be modified in any way without a trusted contributor authorizing the action. Ensuring that data will not be altered during transit, processing or storage is a very important principle for information security. Thus, they remain intact throughout the entire process. For example this pillar certifies that all recipients will receive the information as it was sent.
- Availability: The availability principle assumes that information characteristics are available to users exactly when they need them. For this, software, hardware, connections and data must be offered to those who will use them, so that people have access to what they need. It is important to highlight that this pillar is directly linked to confidentiality. After all, to make information available, it is necessary to respect the rules established by information security.
- Authenticity: Ensuring data protection with authenticity means documenting through appropriate records who made updates, accessed and deleted information so that there is reliable confirmation of authorship and originality.
All the particularities of information security must be in view and treated with the maximum of common sense and care so that the company’s employees and managers benefit. Likewise, the external public, such as partners and customers, also benefit from this action.
What security actions should be taken in the event of an attack?
To understand how to act in the event of an attack, it is important to know first the main objectives of malicious actions, which are:
- Disruption — affects the availability of information, making it inaccessible
- Interception — harms data confidentiality
- Modification — interferes with the integrity of the information
- Fabrication — undermines the authenticity of the data
It is also possible to classify attacks such as:
- Passive — passively records any information exchanges or computer activities. Sensitive data collected during standard communication can be used maliciously in fraud, tampering, blocking and reproduction
- Active — moment in which the data collected from passive attacks or unauthorized access is used for various purposes, such as infecting the system with malware, taking down a server, carrying out new attacks from the target computer or even disabling the equipment.
Here are primary actions that can serve to protect a company’s information.
The use of logins and passwords to contain access to systems is one of the most common means of digital protection, but still very effective. The big problem is that cybercriminals can use programs that test different combinations of numbers, letters and other characters to access a corporate network.
To make breaches more difficult for attackers, users should always choose strong passwords. In any case, it is important for the IT team to monitor security errors and login accesses. Authentications performed outside regular hours may be evidence of crackers.
Protecting corporate servers is an essential action for any company. Due to heavy traffic and the high level of power required by systems, security tools must intelligently rely on hardware resources.
The solutions applied must enable full protection against attacks, proactively and with real-time detection, consuming the least amount of system resources possible.
E-mail is a widely used tool for the dissemination of digital threats. Therefore, your protection cannot be neglected. As we will see, phishing is one of the main forms of attack, as is sharing attachments or links.
To use email managers on machines, it is important to take some precautions, such as:
- Providing access permissions only to authorized automated devices
- Protecting e-mail contents and attachments
- Installing robust firewalls and spam filters
It is also necessary to define guidance policies, so that employees understand good email management practices.
Backup is an essential mechanism that ensures the availability of information, in cases when the locations where sensitive data is stored are stolen or damaged. New files can be stored on physical devices or in the cloud.
The important thing is that at least two backup copies are made and that such records are kept in different places from the original installation. From the backup, it is easy to recover the information lost due to accidents or theft in a short period without major changes in the routine.
Effective security mechanisms
There are many security procedures that are logical, physical, or that combine the two possibilities for data loss prevention and information access control. The physical environment can be the IT infrastructure protected by a room with restricted access.
For this, the company can invest in special locks on the doors or in surveillance cameras. In these environments, it is essential to have refrigeration systems and adequate electrical installations to ensure the equipment functions correct.
In the event of a power outage, it is important to have nobreaks that can guarantee the operation of the installation for a sufficient time. Telemetry equipment is also important to detect failures and issue automatic alerts to those responsible.
A digital signature is a method that uses encryption to ensure the integrity and security of electronic documents and transactions. As most corporate files have migrated to virtual, ensuring their authenticity is crucial.
In this way, digital signatures serve to validate contracts and other content, ensuring that the author of a document has been verified and that the sender is really who they say they are.
Threats to information security
Each year, threats become more personalized and sophisticated and are able to exploit weaknesses in multiple targets. Technological advances also allow cybercriminals to transform or bypass defenses that have already been put in place.
As the level of risk increases continually, companies must always keep up to date and know the main threats to information security.
Understanding virus and malware types
On both personal and corporate devices, computer viruses serve as a nightmare to any users. This happens because the action of malicious software causes several damages, especially in large corporations.
Although every computer virus is a type of malware, not all malware is considered a virus. In the first case, attackers rely on users to reproduce their credentials on their devices.
Malware, on the other hand, is a term that characterizes all kinds of malicious software that can harm a machine.
Stay informed on the characteristics of the main viruses and malware that can harm your company’s computers and information security.
File:This type of threat exclusively infects executable files of the operating system — that is, those ending in .exe or .com. On the other hand, they are only activated when the user opens the infected item. For this reason, it is essential to only download and open files from trusted sources, especially if they are sent via email.
Trojan: Of the items listed, Trojan is perhaps the most popular malware. The purpose of this threat is run passively, unnoticed by the user. The criminal can have complete access to the victim’s computer, monitoring all their activities on that device.
Bank details, passwords, files and other confidential information can be viewed and used against the company. This behavior tends to negatively affect the reputation of the corporate IP, generating undesired impacts on the business.
An example of harmful repercussion is the various perimeter security solutions, which analyze blacklists and block all traffic carried out with IPs that are listed.
Adware: Adware can look like trustworthy programs. However, after they are installed, they start to monitor the internet connection in order to trigger other malware. In addition, they allow undesirable advertisements in browsers. Another problem is that they also facilitate the practice of phishing, which we will understand better below.
Backdoor: The backdoor is typically contracted through email boxes or web pages. These viruses open a “back door” for hackers to take advantage of the device.
The release of the threat also only happens after the infected file is executed. Thus, the machine is vulnerable to the action of intruders. In some cases, the computer becomes a kind of “zombie” and collaborates with other attacks on the internet.
Boot: Finally, we have one of the most destructive viruses. Boot affects the programs responsible for booting the computer’s hard drive. These files are essential for the correct activity of the operating system. The problem is so severe that the virus can prevent users from accessing their own devices.
Outdated software: This is one of the primary access points for cybercriminals. Outdated software represents one of the easiest ways to break into business servers, as the lack of frequent updates makes the equipment vulnerable.
Many viruses and malware target older versions of operating systems precisely because it is simpler to exploit vulnerabilities that have already been fixed in recent alternatives.
Therefore, when a user fails to download an update or keeps old software unsupported by the manufacturer, the organization becomes more vulnerable to failures and attacks. Upgrades and updates typically represent security fixes and improvements. Thus, the attack path becomes more laborious.
Leaving the virtual environment unprotected represents major problems for managers, such as loss of strategic information, leakage of confidential data, business interruptions, damage to credibility and damage to the company’s reputation.
Therefore, it is vital to maintain manufacturer support to receive all software security updates. Then encourage employees to install as soon as they receive notice.
Phishing: This is a practice where an attacker sends e-mail messages posing as a trusted and legitimate institution — often such as banks and online transaction services — tricking the victim into providing personal information.
Despite being one of the oldest and most well-known traps on the internet, phishing still attracts many victims who make use of email.
Currently, this practice is used in Business Email Compromise (BEC) attacks. The objective is to make the managers of the target company believe that they are in contact with other executives. Thus, companies make bank deposits into third-party accounts without knowing that it is a scam. The biggest problem is that criminals leave no traces, as the messages do not have links or attachments.
Ransomware: This is a very harmful type of software that blocks access to all data and charges a ransom to return the system to normal – often in cryptocurrencies. This practice is growing, and many companies end up giving in to pressure, for fear of invasion.
However, security experts reinforce that, before any decision or payment, the attacked company should seek the help of the police or a team specialized in cyber crimes.
Cryptography: Cryptography is the study of techniques and fundamentals by which information can be transformed into unreadable forms. In this way, they are only recognized by their recipients, which makes it difficult for unauthorized people to act.
This is one of the most important automated tools in securing networks and communications. Through the passkey, only the receiver can easily read and interpret the data. Therefore, encryption has become one of the main measures against the risk of theft of private information.
Firewall: A firewall is a mechanism that controls data traffic between machines on an internal network and between machines with external connections. For this, security protocols are used that guarantee the correct communication between the two systems, in order to prevent intrusive actions.
Among the attackers’ main practices are the sale of privileged information, the inappropriate use of third-party financial data and blocking access to computers for ransom.
How to configure a firewall to keep data safe?
In large corporations, with more than a thousand employees, the task of configuring a firewall is, of course, much more complex. However, in a small and even medium-sized company it is possible to set up with relative ease. For that, you can follow the steps as described below:
- Get a firewall from a trusted vendor
- If you already have one, update it to a newer firmware version
- Establish access restrictions, if it can be configured by more than one user
- Perform network address translation (NAT) to allow internal devices to communicate on the web whenever necessary
- Configure ACL access lists
- Enable the firewall as a Dynamic Host Configuration Protocol (DHCP) server
- Test the firewall, verifying that it is blocking traffic according to the ACL settings
- Go back to the second step and update the firmware whenever possible
What are SSL certificates and what are their main types?
Used to encode information through encryption, a Secure Socket Layer (SSL) is a certificate that protects sensitive data that circulates on the web. This is a service provided by private companies who flag violators after submitting the site to rigorous audit.
SSL certificates are especially suitable for companies with online operations. Therefore, those who work with e-commerce or m-commerce have an almost mandatory protection and guarantee in this type of seal.
This is because, in addition to conveying more credibility, a certificate of this type guarantees the site prominent positions in Google’s organic search results. See the three most used types of SSL certificates and learn how they protect your information:
- Domain: The most popular form of SSL, domain SSL provides basic security and attests to the security of a domain. It is suitable for small businesses because it has affordable costs, since the encryption used is also basic.
- Organizational: Organizational SSLs are one level above domain SSLs. This is because, in addition to basic security services, it also provides data about the company that owns the domain. Therefore, the certificate indicated serves to validate the physical existence of the business, its credibility, as well as the security of its transactions on the web.
- Extended: Highest level of SSL certificate. With the extended model, the company can have its name highlighted in browsers, in the space before the domain. It is quite suitable for large companies and e-commerce platforms with high sales volumes.
Is it worth investing in security technology?
End-user spending on security and risk management in the Middle East and North Africa (MENA) region is forecast to total $2.6 billion in 2022, an increase of 11.2% from 2021, according to Gartner. The strong growth rate reflects continuing demand for remote worker technologies and cloud security.
Those who work collaboratively in cybersecurity know that there is no such thing as a 100% secure organization. We can mitigate problems for sure, but we cannot extinguish them.
Undoubtedly, risk management should be the first plan in place in order to justify investments in information security.
Another point that will require a lot of investment worldwide is the concern about data privacy and, of course, the heavy fines that will come if the company does not follow the new governance policies ― stimulated mainly by the systems compliance with GDPR.
Once a customer’s information is leaked, nothing can be done about it. You can file a complaint, inform the authorities of the infraction and hope that the law will reimburse part of the damages caused, but that sensitive information will remain lost. The only recourse is to work diligently and prevent future leaks.
Here are some tips to avoid a security breach in your company:
- Decrease threats from former employees by performing rigorous security checks before they are hired and after they leave
- Change passwords when any employee who had access to confidential information leaves the company
- Conduct a security check on all official and unofficial accounts and former employee mail at least once a month
- Keep a regular check on the company’s confidential information flow
- Improve internal systems and ensure that your company’s Human Resources and IT departments work together to protect vital information
- Collect workplace feedback from employees on a regular basis so that you are able to quickly prevent any possible malicious action
- Hire security controls and information management
- Implement a BYOD ― Bring Your Own Device policy if personal mobile devices are being used
Why hire a specialized partner to handle your security?
Success in outsourcing any business function requires defining, evaluating and establishing inputs and outputs. Using this information, an organization can approach the market and clearly specify the scope of what it needs and what results are expected.
Understanding the value of the role facilitates cost-benefit analysis. This study should justify outsourcing and take into account the cost of selecting the best company. As information security systems are increasingly technical, the solution that protects them usually involves:
- Security products such as antivirus, firewalls and intrusion detection
- Security services, such as security event management
- Penetration tests
- Incident response test
While products and services can be significant components of an organization’s security solution, they alone are not everything. Knowledge can and should be guaranteed through SLA (Service Level Agreement).
This document regulates policies, standards and guidelines and is ideally funded by an organization’s executive committee.
Due to the size and natural dominance of business rules, outsourcing is extremely difficult, but it needs an SLA anyway. Methods of detecting incorrect operations, system or infrastructure failures require more specialized knowledge.
Factors that contribute to these decisions include legal obligations, cost-benefit projections, risk analysis and intangible benefits, as well as ethical obligations with data content.
The financial side
To allow your board to approve the cost of information security without needing them to understand the underlying technology, the relevant factors are often translated into currency, commonly understood as cash risk. This translation, however, is often incomplete and always requires further interpretation considering the substantial investments that are typically required in initial stages.
The initial purchase of Firewalls and basic IDS (Intrusion Detection System) installations may generate significant expense and it may not be apparent how this cost shields a business from further expense.
Considering how such a flawed method of decision-making may not highlight the apparent risk to the business, it is vital to realize that taking any security actions is better than doing nothing at all.
Many of the countermeasures purchased may meet an obvious requirement for the trained engineer, but the level of investment is often not balanced. The level of risk may justify a significant allocation of funds, but it is not always possible to distribute these funds in the most efficient way.
After all, initiatives can be complex or their impact difficult to understand. For example, it is a challenge trying to justify why security breach X, which never occurred, can be more dangerous and expensive than security breach Y, which occurs monthly but is not dangerous, as the system already detects, treats, and erases any remnants.
What to consider when hiring a cybersecurity service?
It is common to have outsourcing areas of security operations. However, a dedicated team is often not guaranteed and, to avoid unpleasant surprises, some points need to be considered. For starters, what will your organization do?
A good MSSP (Managed Security Service Provider) will not only examine your firewall, antivirus and patches, but will also take a holistic view of how they protect their customers and ensure they are in a position to implement the necessary changes to the organization, encompassing:
- Technology ― UTM, firewall, wireless, VPN, best practices and patch management
- Management ― risk management, processes, auditing, reporting and training
- Adaptability ― disaster recovery, business continuity, business resilience
- Compliance ― a natural consequence of complying with the steps described above
The mastery of technical knowledge, according to the needs of the business, ensures that the MSSP company has people who are experts in one or more areas of digital protection. Furthermore, you must confirm the right level of education, training and capacity of the people who will be allocated to the project.
The human element
Another important issue is to verify that the outsourced company has the capacity and qualified people at all levels necessary for the service of your organization, ensuring a good flow of service. Additionally, consider what this company will do to make your life easier. There are changes that will be recommended by an MSSP for two reasons:
· The systems you have in place are not doing the job properly and need to be replaced with more secure systems
· The systems used cannot be supported by the MSSP, because they do not have a specialized team to manage them
So if you’ve just purchased a firewall and the MSSP wants you to replace it with another one, the problem is the MSSP, not the firewall.
Also, never forget that the company that outsources your digital security is a partnership. It is there to protect your data, your infrastructure, customers and staff. You even pay for this service. So, make sure that all parties involved understand their obligations by putting everything into the SLA in detail.
Finally, check how much it will cost. Does your company have the budget to make the monthly payment to the MSSP? This monthly cost needs to be negotiated as well, not forgetting possible readjustments. The cost of an MSSP SLA should include monitoring, management, and reporting, but not out-of-scope projects. So be careful before closing a contract!
Standardization and its limits
Standardization can provide a great help in improving a company’s security posture. However, an organization that relies only on standards to ensure security is likely to have a gap depending on the realities of the relevant threat landscape.
Outsourcing security operations is an excellent option for companies who cannot reliable dedicate required personnel. To this end, it is important build a partnership with a Managed Security provider who will provide realistic expectations concerning their cost and their ability to meet your need. When possible, the scope of security functions should focus on clear objectives to maintain manageable projected costs.
Operational tasks should be designed for the organization needs, not based on what the service provider can manage. Concessions can be made to a preferred vendor, but ensuring that the target state for security operations is defined makes it possible to quantify the concessions and, if necessary, outsource to an additional provider elsewhere.
Outsourcing security in its entirety is not feasible. All organizations must have at least one security role assigned. While the person holding the role cannot be dedicated just to security, training must be provided to ensure an appropriate skill level. Any third-party engagements for support services must be managed by this role. To maintain a level of protection close to the outlined objective, a security expert needs to define checks and balances.
Penetration testing is in many cases a specialized outsourced service. It’s a complex demand and there’s significant value in doing it independently. It also produces a deliverable in the form of a report that makes it easy to justify. We must remember, however, that it is not the whole picture.
Penetration testing should not consider operational practices that can introduce new vulnerabilities as quickly as old ones are removed. Often there is no evidence that the individual performing the test is adequately qualified to do so, nor proof that most of the vulnerabilities present have been discovered.
Why should tests be continuous?
Regardless of the security function being outsourced, testing should be an ongoing assurance measure. Operational teams have to be subjected to social engineering attempts and simulated incidents, ensuring their response is appropriate.
Known vulnerabilities need to be built into applications before penetration testing begins to ensure they are reported. Of course, testing is necessary even when security is internally sourced in its entirety, but it need not include testing the outsourcer’s competence, as the competence of in-house personnel should already be well understood.
Security components can be delivered effectively by third-party partners, but it takes more than hoping for the best. Outsourcing security components, like any business decision, must consider all impacts and risks. You need to complete due diligence, manage risk, implement mitigations and, of course, monitor built-in assurance controls.
Protecting the devices responsible for storing and processing data is essential to maintain information security in the company. It is important to remember that this action covers many aspects: technological, legal, physical, virtual and human. By seeking best practices, it is possible to maintain the quality and financial health of the institution.
Let Stefanini be the right security partner for your business
We’ve come to the end of this super-complete guide to information security confident that you now have the knowledge you need to protect your data. Remember, information security is a dynamic process, so keeping up to date with the latest innovations is critical.
Stefanini uses a co-creation model to ensure that your company receives a cybersecurity solution that can meet your unique needs.
Contact us and speak to one of our experts!
This article was originally created and posted at https://stefanini.com/pt-br/trends/artigos/guia-sobre-seguranca-da-informacao and translated to English.