Security is a constant worry when it comes to information technology. Data theft, hacking, malware and a host of other threats are enough to keep any IT professional up at night. In this article, we’ll look at the basic principles and best practices that IT professionals use to keep their systems safe.
The Goal of Information Security
Information security follows three overarching principles:
• Confidentiality: This means that information is only being seen or used by people who are authorized to access it.
• Integrity: This means that any changes to the information by an unauthorized user are impossible (or at least detected), and changes by authorized users are tracked.
• Availability: This means that the information is accessible when authorized users need it.
So, armed with these higher-level principles, IT security specialists have come up with best practices to help organizations ensure that their information stays safe. There are many best practices in IT security that are specific to certain industries or businesses, but some apply broadly.
Balance Protection with Utility
Computers in an office could be completely protected if all the network connections were torn out and everyone was kicked out of the room – but then they wouldn’t be of use to anyone. This is why one of the biggest challenges in IT security is finding a balance between resource availability and the confidentiality and integrity of the resources.
Rather than trying to protect against all kinds of threats, most IT departments focus on insulating the most vital systems first and then finding acceptable ways to protect the rest without making them useless. Some of the lower-priority systems may be candidates for automated analysis, so that the most important systems remain the focus.
Split Up the Users and Resources
For an information security system to work, it must know who is allowed to see and do particular things. Someone in accounting, for example, doesn’t need to see all the names in a client database, but he might need to see the figures coming out of sales. This means that a system administrator needs to assign access by a person’s job type, and may need to further refine those limits according to organizational separations. This will ensure that the chief financial officer will ideally be able to access more data and resources than a junior accountant.
That said, rank doesn’t mean full access. A company’s CEO may need to see more data than other individuals, but he doesn’t automatically need full access to the system. This brings us to the next point.
Assign Minimum Privileges
An individual should be assigned the minimum privileges needed to carry out his or her responsibilities. If a person’s responsibilities change, so will the privileges. Assigning minimum privileges reduces the chances that Joe from design will walk out the door with all the marketing data.
Use Independent Defenses
This is a military principle as much as an IT security one. Using one really good defense, such as authentication protocols, is only good until someone breaches it. When several independent defenses are employed, an attacker must use several different strategies to get through them. Introducing this type of complexity doesn’t provide 100 percent protection against attacks, but it does reduce the chances of a successful attack.
Plan for Failure
Planning for failure will help minimize its actual consequences should it occur. Having backup systems in place beforehand allows the IT department to constantly monitor security measures and react quickly to a breach. If the breach is not serious, the business or organization can keep operating on backup while the problem is addressed. IT security is as much about limiting the damage from breaches as it is about preventing them.
Record, Record, Record
Ideally, a security system will never be breached, but when a security breach does take place, the event should be recorded. In fact, IT staff often record as much as they can, even when a breach isn’t happening. Sometimes the causes of breaches aren’t apparent after the fact, so it’s important to have data to track backwards. Data from breaches will eventually help to improve the system and prevent future attacks – even if it doesn’t initially make sense.
Run Frequent Tests
Hackers are constantly improving their craft, which means information security must evolve to keep up. IT professionals run tests, conduct risk assessments, reread the disaster recovery plan, check the business continuity plan in case of attack, and then do it all over again.
Train and Discuss the Implications
Humans remain the weak link in corporate data protection, but you might be surprised that it isn’t only rank-and-file employees duped by phishing scams who pose risks. Some companies are lulled into a false sense of cybersecurity by vendors. That is correct! Some enterprises believe the shiny new technologies they’ve acquired will protect them from anything.
The best defense? Go on the offense with training, simulated phishing attacks and discussions as to what a staff member should be looking for to be prepared. When receiving email from an unknown sender, question the intent; especially with attachments and links. Hover over the link to find where it will be sending you and / or the document that will be opening. Do’s and Don’ts? Do delete the email and call the sender. Don’t send the email to an IT staff member asking if it is malicious.
IT security is a challenging job that requires attention to detail at the same time as it demands a higher-level awareness. However, like many tasks that seem complex at first glance, IT security can be broken down in to basic steps that can simplify the process. That’s not to say it makes things easy, but it does keep IT professionals on their toes.
Join to Receive More Like This
At Avalon Systems we promise not to SPAM you with unwanted and unnecessary information. We will always strive to deliver content that is pertinent, up to date and valuable. If we do not please feel free to un-join our list at any time.
9685 W. 105th Way
Westminster, CO 80021
M-F: 8am – 10pm