What makes an effective IT security framework?
It’s never been more important for enterprises to focus on IT security. Cyber attacks are more in the public eye than ever, eroding consumers’ trust in brands and causing massive service disruption for data-dependent firms. Meanwhile, the regulatory environment in Europe and elsewhere is getting stricter, with much bigger penalties on the horizon for organisations that breach the next generation of data protection laws.
But in today’s digitally empowered business environment, what makes an effective IT security framework?
Old methods of securing the enterprise were developed around the assumption that organisations would always use local networks and control the devices that connected to them. But thanks to trends like cloud adoption and the use of personally-owned mobile devices for work, things are no longer so simple. It can be very difficult for today’s firms to get a complete picture of their security and compliance obligations, and to introduce rules that are as applicable to office-based employees in one department as remote workers in another.
Nonetheless, protecting sensitive and regulated data from accidental disclosure and theft still comes down to a handful of basic principles. If your organisation is looking to transition to an IT security framework fit for the 21st century, consider the following:
Technical controls
Technical controls aren’t the only component of effective IT security, but they continue to be extremely important in an age of cloud computing and distributed workforces. For one, you’ll want to have risk-appropriate and integrated access controls for each cloud service and on-premise resource your organisation uses, ensuring that employees can only view data if they’re authorised to do so. Luckily, if you’re using Windows Server alongside Microsoft Azure or Office 365, it’s easy to sync them to the same Active Directory.
Beyond access controls, developments like the cloud and the rise in remote working – which is sometimes conducted over public Wi-Fi hotspots – has made enterprises much more aware of the importance of encryption for their data. This should be applied in the following ways:
- Data at rest: whether it’s stored in an on-premise server, the cloud or a device’s local hard drive, you should apply encryption to data at rest so that unauthorised intruders have no way to decipher and compromise it.
- Data in transit: any traffic between cloud services, on-premise servers and end-user devices should also be encrypted, ensuring that remote connections can’t be intercepted by malicious entities also residing in the network.
Finally, your organisation should look to protect its endpoints. A common and useful tactic is to mandate the use of up-to-date antivirus software, ensuring that USB and web-borne malware won’t allow hackers to compromise individual workstations on the network.
End-user training
This ties into the next component of an effective IT security framework: the introduction of suitable policies and training programmes to prevent the accidental disclosure of sensitive and regulated data, and to protect against cyber attacks that exploit human error.
This could involve mandating the use of antivirus software on both company and employee-owned devices, as described above, and also limiting the ability to install applications to users with administrator accounts. However, it’s important not to forget the role of end-user training in improving your organisation’s IT security. Employees should be taught to spot risks like phishing attacks, know when and where they should store sensitive data, and report suspected breaches of the firm’s systems.
Keeping systems up to date
Finally, it’s hard to overstate the importance of keeping you organisation’s systems up to date with the latest patches and fixes. It can be tempting to overlook updating your technology when you’ve got more pressing issues to contend with, but the risks are significant: our latest Security Intelligence Report found that systems running expired software are four times more likely to be infected with malware than their cutting-edge counterparts.
Of course, keeping systems up to date is often a more involved process than simply installing a couple of patches. Many Microsoft customers are currently in the middle of migrating from Windows Server 2003, for example, ahead of its end of support on July 14th.
However, this kind of renewal should be seen as an opportunity to improve security – as well as other business processes – in itself: enterprises’ security and compliance obligations change over time, and it might ultimately be the case that a hybrid cloud environment suits your organisation’s current needs better than an on-premise solution did.
