Security Best Practices Can Help Mitigate New Threats
EMA analyst Chris Steffen explains how best practices are still the best way forward.
By Neil Tardy10/01/2020
As a security analyst, restless nights are a byproduct of Chris Steffen’s job. He’s spent more than 20 years in IT, envisioning worst case scenarios while helping clients adopt preventive measures and deal with security challenges. In these times of upheaval and remote work, the challenges are as many and varied and daunting as they’ve ever been. However, Steffen says he also finds reassurance in things he’s seeing in response to the events of the past few months.
“Those companies that already had a business continuity and security plan, those companies that were planning accordingly, doing the right things and following best practices, those are the companies that are flourishing,” says Steffen, a research director with Enterprise Management Associates (EMA) Inc., a Boulder, Colorado-based IT research and consulting firm.
In short, best practices are critically important. Of course, securing an IT environment requires significant investment in both people and technology, but the commonsense rules and guidelines that were in place long before anyone heard of malware or ransomware—the security basics, if you will—remain effective. Even in changing times, security still starts with best practices.
Getting Started, Thinking Ahead
Steffen recommends that data inventories be routinely conducted on every IT environment. Simply having backups and archives of data isn’t sufficient. Every data source must be accounted for as the first step for companies and organizations to achieve regulatory compliance.
“You can’t know what to protect if you don’t know what you have, so a data inventory is the place to start. And the reality is, without a data inventory, you can’t possibly be compliant to data security and privacy regulations,” Steffen says. “Unfortunately, this process is daunting for many companies because they lack a firm understanding of the scope and sequence of their data.”
For this reason, Steffen believes it’s best to have a competent third party conduct the inventory.
Along with verifying the contents of your environment, the basic security tools and processes must be in place. This starts with antivirus software. If you’re thinking that every user computer in every IT environment would surely be loaded with the latest versions of antivirus suites, Steffen would tell you that’s not the case. Unfortunately, some organizations don’t pay attention to this detail. With so many users continuing to work remotely, this is even more important.
Another no-brainer step that’s even more widely neglected is system patching. Steffen says that providing regular security updates and fixes to critical internal systems as well as externally exposed systems allows IT environments to avoid most security problems. As he puts it, you don’t want to be an easy mark in the eyes of hackers.
“The bad guys we’re talking about, the bad actors, they’re looking for these vulnerabilities. They’re looking for someone that isn’t doing regular patching. They’re looking for an exposed internet presence to exploit. They’re looking for the easy score. If you’re not easy to exploit, they’ll likely move onto someone who is because they have many options in that regard. That’s why implementing system updates, antivirus and antimalware tools helps address [or prevent] problems,” Steffen says.
“You can’t know what to protect if you don’t know what you have, so a data inventory is the place to start. And the reality is, without a data inventory, you can’t possibly be compliant to data security and privacy regulations.”
The Human Factor
Knowing what you have and taking the steps to protect it doesn’t just apply to computing environments. Best practices can also be applied to those tasked to maintain them. ISC2, a non-profit membership association for information security leaders, estimates that the cybersecurity workforce in the U.S. needs to increase by nearly half a million skilled professionals to better protect corporate and organizational computer systems.
This means that business leaders must recognize the value and scarcity of IT managers and administrators, specifically those who work on security. And find new ways to retain talent.
“I know it seems overly simplistic, but it’s far easier to retain someone than it is to hire someone,” he says. “I’m a huge fan of promoting and training from within, and I’ve always advocated for training and ongoing education. A lot of companies take this approach to try and alleviate the skills gap problem. Of course, it benefits the employee, but it also helps the company.”
The skills issue can be particularly vexing in small legacy environments, where a single tech may be responsible for organizational security. For longtime users of AIX® and IBM i OSes, it’s a familiar scenario.
“One person should never hold the keys to your kingdom,” Steffen says. “I’ve seen so often where no one was planning for Bob the programmer to leave or retire, and now they’re stuck. They can’t innovate because they’re literally ball-and-chained to a system that only Bob knew how to manage. That’s why you should always think and plan for the next iteration.”
So employers must take measures to cross-train skillsets amongst more employees for day-to-day tasks that improve security, which, in turn, enables a business to be more proactive in protecting their company, its data and most of all, its customers.
“Having a CIS do day-to-day firewall management is overkill. There are automated solutions for that,” Steffen says. “The kind of work that motivates most security people is in the planning and design that comes with architecting solutions that prevent attacks. These are big-picture people—and really, that’s their value.”
The events of 2020 have transformed IT. These extraordinary circumstances have led some security admins, who, as Steffen can attest, are normally a cautious and suspicious lot, to allow for deviations in established security practices during the post-shutdown scramble to get users up and running from their homes.
“The work from home movement, if that’s what you want to call it, has led to many, many additional new vulnerabilities that aren’t necessarily present in enterprise environments,” he says. “Now is the time for security people to focus on re-establishing those procedures and security controls. I mean, compliance hasn’t gone away. With people back on their feet a bit, auditors are out looking again, so it’s incumbent on security teams to return their enterprises to an audit-able stance with all possible speed and hopefully keep it that way.”
His two-fold advice to security pros as their companies and organizations plan for 2021 isn’t all that different from any other year: Understand your executives’ pain points, and set your priorities.
“We can all agree that improving your overall extended work from home infrastructure is a priority. So if you have a project you want to do to improve security, figure out a way to tie into that. Maybe it’s email security, maybe it’s remote video calling. But as always, work with your risk teams to understand their priorities and create a plan.”
Finally, understand that when it comes to IT security, a lot of good people are working on it.
“The great news is that there has never been more innovation than there is now to stop attacks and keep up with the bad guys,” Steffen says.
4 Security Best Practices
- Conduct a third-party data inventory
- Stay up to date with system patching
- Retain top IT talent, especially those that work on security, to reduce turnover
- Focus staff resources on high level security strategies instead of day-to-day firewall maintenance
Neil Tardy is a contributing writer to IBM Systems Magazine.
Post a Comment
Note: Comments are moderated and will not appear until approvedcomments powered by Disqus