I need to be sure my ICT is safe and secure
The benefits of a strategic approach to ICT security
When it comes to developing an ICT security strategy for your organisation, there are a few points to bear in mind at the start of the process, which can help it to take shape. Firstly, it’s important to remember that any business or organisation is a potential target for cybercriminals, so taking a risk-based approach to managing your ICT security is critical. There are also both internal and external threats to your ICT that you’ll need to consider, which range from potential vulnerabilities in your software, servers or systems, to simple human error.
It’s not just computers and laptops that may be vulnerable.
Mobile devices, internet connections and data storage, can also be hacked.
A strategic approach to ICT security will enable your organisation to identify the potential risks and get the right foundations in place. Then, address those issues in priority order to ensure that, overall, you have the most effective strategy for your organisation. Once you gain a better understanding of the risks you face, and how they might evolve, you can adapt your initial approach into a more comprehensive strategy which provides your organisation with more robust ICT security. An ICT Security strategy will allow your organisation to be far more proactive in its response to an incident, to reduce the visible attack surface.
Where do I start with my ICT security?
There are three key pillars of ICT security which your strategy should address: people, processes and technology. They are all interlinked. The technology your organisation chooses needs processes which govern its use, while your people need the appropriate training to ensure your procedures are followed correctly.
Your processes need to be documented and reviewed regularly. In contrast, your employees need to be kept up-to-date with the latest changes and be made aware of their role in supporting your organisation’s ICT security. Carrying out a full and thorough IT healthcheck should be the starting point of any good ICT security strategy. At this stage, it’s all about identifying any potential threats and vulnerabilities, understanding the impact they can have, then finding the best way to address them.
You may not possess the knowledge or expertise in-house to do this effectively. An experienced external ICT consultant will be able to provide you with an objective view of your organisation and the risks it faces, along with the technical leadership required to develop and implement a security strategy effectively and assist in prioritising any remediation that falls out of an IT healthcheck, penetration test and vulnerability scan. Your consultant will be able to help you identify any ICT security measures you may need to implement and build a strong business case to support your organisation’s investment in them.
They will also be able to help you create procedures and policies your organisation will need to follow once the strategy has been implemented, as well as identify and address any staff training requirements.
What technology is available to me?
The UK has a strong body of best practice around cyber security, from the Government’s Cyber Essentials scheme, the Minimum Cyber Security Standard, quality assurance frameworks including PAS 555, ISO27001 and ISO27032, and technical leadership from the National Cyber Security Centre.
When it comes to technology, the requirements will vary from organisation to organisation. However, to provide a basic level of ICT security which will address many common issues, the Government’s Cyber Essentials scheme recommends the following:
Firewalls are network security systems which monitor and control network traffic based on predetermined security rules. They establish a buffer between trusted internal networks and untrusted external networks, such as the internet, to help prevent unwanted access to networks and data and block harmful data packets.
Device and software security can be quickly and easily improved by changing their default settings, disabling any unnecessary functions and updating default passwords to reduce the risk of a security breach.
Role Based Access control (RBAC)
Controlling which users have access to your organisation’s devices and applications, and what permissions they have, can reduce the risk of a security breach. Access and admin permissions should be given only to those who need them.
Anti-virus and malware protectection
Using anti-malware software, as well as ‘whitelisting’ and ‘sandboxing’, can help protect your devices and networks from viruses and malicious software that is introduced through website browsing, emails and even removable storage such as USB sticks.
Updating your software
Hardware and software vendors release regular updates to improve their applications and fix – or patch – any newly-discovered security issues or vulnerabilities. Installing updates as quickly as possible once they have been released will minimise the timeframe in which those security gaps can be exploited. And once the vendor stops offering support for the hardware or software you’re using, upgrading it to the latest version is essential.
In addition to the measures set out by Cyber Essentials, monitoring your ICT security is almost as important as creating a secure environment. Doing this effectively can require significant investment. NCSC recommends that organisations invest in a proper security monitoring solution that gathers and aggregates all security events and presents those aggregate events to ICT security specialists for remediation. These systems are called Security Incident and Event Management (SIEM) Tools.
Creating your ICT security strategy
Taking a strategic, risk-based approach to your ICT security will help your organisation address the most serious issues it faces first, and help to make any investment in additional security technology as cost-effective as possible. A strategic approach will also help you gain a better understanding of the ICT security landscape, any gaps or weak spots within your organisation and the resources you might need to put them right. It can also help to align your ICT delivery to your organisational objectives, keep risk in the spotlight and gain buy-in from your senior leadership.
A good ICT security strategy will also help your organisation ensure it has the right processes in place to:
- Ensure the risks to its data and ICT networks are appropriately addressed;
- That staff are adequately trained and understand the security risks;
- And that the technology your organisation uses to protect its networks and data has been implemented correctly and is assessed regularly.
Once again, your organisation needs to treat ICT security like any other risk and manage it accordingly.
Find out more
AMDH Services Ltd has a wealth of experience in developing and implementing ICT security strategies and solutions. We can help your organisation identify and mitigate your security risks, recommending the technologies and security options which will deliver the best return on investment. We can also provide you with the best technical expertise at the right cost to enhance the overall value of your investment in our services. To find out more, get in touch for an informal chat and a free consultation.