For all the media’s fascination with the apparent inexorability of uber-sophisticated cyber attacks on our nation’s businesses and organisations, recent events have shown that security risks can be altogether much more mundane and prosaic. Classic phishing and poor patching discipline gave WannaCry its ball-wrecking moment in the sun, and perhaps now is as good a time as any to go back to first principles and check that all your fundamental protections are in place.
Regardless of its merits as a security certification scheme, the government’s Cyber Essentials scheme is a solid reminder of the basics and worth restating here. It concentrates on five key controls:
- Boundary firewalls and internet gateways – with the onus on proper set-up either in hardware or software form to ensure they are fully effective
- Secure configuration – systems must be configured in the most secure way for the needs of the organisation
- Access control – controlling who has access to systems and at what level
- Malware protection – ensuring that virus and malware protection is installed and is it up to date
- Patch management – checking that the latest supported version of applications is used and all necessary patches have been applied.
Basic stuff yes but they actually add up to a sustained volume of system administration and network management work: work that can detract from IT’s mission to deliver front-end business value, work that can often test an organisation’s security know-how, work that can put unwelcome stresses on teams already charged with doing more for less. Entrusting the type of controls listed above to a managed service provider is an increasingly attractive option: they have the depth of resource, the specialist knowledge, the proven processes to address security protections head-on, with other ‘safeguarding’ services bringing up the rear, such as online back-ups and recovery environments.
We’d also add in something else, which is a more holistic approach all round, a layered security model if you will; so no over-dependence on one or two security factors but a robust approach across the board. We’d certainly advocate, for example, the keeping of accurate asset lists; the use and enforcement of a strong password policy; having a rigorous starter/leaver process together with a ‘least privilege’ access policy as a default; to invest in end user training to boost security awareness amongst the accepted ‘weakest links’; and to have a clearly defined and preferably tested plan for how to react to a security incident.
A proactive, client-centric managed service provider won’t be content with just limiting themselves to taking on the operational burden at the sharp system end of things; they’ll be reaching out too to advise on, and help implement, best practice as part of a belt-and-braces approach to ongoing security and continuity. It’s building on the basics, and that in itself is fundamental to mitigating risk.