Tag Archives: it security audit

Managing Risk in IT Security For Mid-Sized Companies

What are some of the main security issues faced by companies today?
This can vary quite a bit depending on the organisation and what kind of online presence they maintain, but some of the main issues are things like remote network base attacks. There are also legal compliance issues – complying with industry specific regulatory frameworks are also a concern for organisations. The miss appropriation of confidential data or propriety information such as trade secrets and designs are also a major consideration for organisations.

How do I decide what tools I need to implement, when they seem very similar?
The real thing driving that is the amount of security research that the vendors are investing in their product development, this is one of the key differentiators in the security industry. The vendors who are investing very heavily in original propriety systems and security search work are able to keep their products that much better positioned to protect customers systems and infrastructures against the kind of attack they’re going to see tomorrow and provide that kind of protection today.

I hear a lot about IT Risk Assessment being key to budgeting for security spending. How do I even begin to quantify risk?
For any given risk there are several things you can do, firstly you can mitigate the risk, so you can try to defend against it or control it. In a risk assessment, once you have identified the risks to your business, you can calculate something called an annual loss risk acceptancy which is basically you putting a value on what the impact to your business would be if that risk were to happen, you then make an estimate of how many times of year that’s likely to happen. Once you’ve multiplied these two things together you can work out how much you’re likely to loose should this happen as a result of that risk from this you can then work out how much would be practical on dealing with that risk.

Why do vendors keep trying to scare me into buying security products?
Its good that the tools are working and that nothing bad has happened but it is still very important to keep security tools up to date. Attackers are continually researching new ways and new methods to attack and compromise systems. You should never invest or buy in security products because of, or through vendor’s attempts to scare you into buying them.

Get all your IT security questions answered by James Randell in a comprehensive interview.

What exactly is security anyway?
Security is about managing risk to your business. The idea is to manage, control and assess those risks.

How do I stop security just “getting in the way” of my day-to-day operations?
Security tools and processes can seem like they are getting in the way of day-to-day operations. This can be particularly frustrating, maybe those tools have not been properly deployed or wisely chosen or well configured. As long as we are still approaching this from a well grounded risk based point of view for our business then its relatively easy to select proper tools and understand how to deploy them.

Where do most of the threats to an organisation really come from, outside hackers or malicious insiders?
We see the headlines being made in the media focusing on hacking attacks from external sources, breaking into systems, stealing confidential data, defacing systems and therefore affecting brand equity etc. however the majority of the money is being lost is through internal attacks, for example where an employee maybe has legitimate access to a database at a high level but then becomes disgruntled they may misuse that privilege or be tricked into misusing that privilege in order to access a huge amount of data which they may then sell on which is why it’s the internal malicious insiders that cause the most amount of damage.

Why do security technologies seem to focus on “cleanup” when surely “prevention” is better?
Prevention is always going to be better than cure. Clean up is very inconvenient, if you just think about your own desktop or laptop, if it gets infected with a virus, it has to be sent back to the IT department and you’ll have to do without it all day whilst everything is reinstalled and even then all your data might still be lost. Due to the fact that attackers and attack trends are evolving all the time, its essential that security tools vendors and security development vendors are investing heavily in original security research so that they can ensure that their products are protecting against the kind of threats that organisations will be exposed to tomorrow and prevent the bad things from happening today.

How do you train and retain skilled security experts and is this expensive?
This can be a real problem for organisations, when you invest in security tools such as firewalls and anti virus systems, you will have access to copious amounts of alert data from them. The challenge is then getting actionable security intelligence out of these tools, this can be outsourced to help you analyze the data and decide if you really are under attack.

Security is about managing risk to your business. Its good that the tools are working and that nothing bad has happened but it is still very important to keep security tools up to date. The real thing driving that is the amount of security research that the vendors are investing in their product development, this is one of the key differentiators in the security industry. The challenge is then getting actionable security intelligence out of these tools, this can be outsourced to help you analyze the data and decide if you really are under attack. Due to the fact that attackers and attack trends are evolving all the time, its essential that security tools vendors and security development vendors are investing heavily in original security research so that they can ensure that their products are protecting against the kind of threats that organisations will be exposed to tomorrow and prevent the bad things from happening today.

What is a “security policy” and what do I need one for?
A security policy is a frame work and a set of rules and guidelines for an organisation which help it meet any objectives. This is why a security policy is very important because it helps you understand where you’re trying to get to by establishing, what your security objectives are for your organisation.

Antivirus tools are also very important for organisations, they assist them in defending there servers and desktops against attack by malicious software like viruses, Trojans and worms, etc. As long as you’re clear about what the tools do, they are important, but not every organisations security challenges are going to be solved by managing network access control and defending against malicious software, so an organisation really needs to take a risk based approach at looking at what security tools they need.

How do you understand all the various elements involved with IT security?
If you’re looking from the ground up, the security industry can seem very complicated. If you understand what risks your organisation is actually susceptible to and what the consequences are then you can find relatively readily what tools you’re going to need.

It is very difficult to get straight answers about exactly what I need to do to comply with an industry-specific regulation?
Providing you are approaching your security policies and processes and tool deployments from a best practice and common sense point of view, you’re actually likely to be complying with the greater part of nearly all compliance frame works. There are some specific industry variations though which you do need to be aware of, but they are mostly all about best practice and nothing to be too scared of.

I have implemented anti-virus and firewalls, are these the main security tools I need?
Firewall and anti virus tools are very important for business organisations, but we need to be clear about what they really do. Firewalls are primarily a network access control technology. This is an important function in today’s networks, its particularly important that you should set restrictions on who should access your network but its just as important that you look at the content of the ‘envelope’.