How do I know if our IT security is up to date?
One of the aspects of conducting a privacy impact assessment is ensure that your IT security is up to scratch. That may can be a tall
order as very few people in management (or any other department) really understand the complexities of the ever-evolving world of technology. How would you know if you’re on the right version of operating system, that your firewalls are effective, or no staff member is opening dodgy emails? Most organisations would be completely reliant on the quality of service provided by their IT support, whether internal or outsourced. So how would you know whether your IT provider is good enough until you wait for that day when you suffer a breach?
Is my IT provider doing enough?
There are quite a few IT professionals I have met that are lost in their own time warp and have not kept up to date. Some I have met still live off tape drives and still haven’t caught up with the reality of Ransomware. To be fair it is easy to become outdated in this fast paced environment, but that is the nature of the industry and providers must maintain a continued discipline of professional development. There is a story of IT manager who went to a conference on the hack of Sony Pictures by North Korean government. He walked in there feeling confident that 95% of all eventualities where covered. After the conference he realised that he needed to get as close as possible to 100% as their breach was far more sophisticated than he had originally supposed and they only required small silver of opportunity to get in.
So, whether you have your IT department is in house, outsourced, cloud based remote workers whatever, how are you going to even begin to ask the questions, let alone even understand the answers? The important thing to realise that the same principles that apply to IT security also apply to protecting physical premises. One is substance the other appearances.
Keeping up Appearances.
I began my working life in Melbourne, Australia and up the street from where I lived, the house had an array of burglar alarms and a 9-foot-high fence and so it was impossible to scale. Every long weekend it was burgled where our little humble abode (crumbling window frames and we probably left the door open summer) was left alone. Why because anyone who went to that amount of trouble making the house look secure must have something worthwhile stealing. Once they got over the front wall they had three days to break in at their leisure. For professionals they see it as a challenge and worthy of their talent.
There is an analogy with cyber as for the criminal element they go after companies that seem successful for the maximum reward. So, the higher profile you are, with obvious displays of wealth, the greater level of discrete security needs to be applied. The Russians are known for being able to wander through JP Morgan’s security at will. So as with our neighbours in Melbourne, they eventually took advice from the police and hey removed the wall and all the alarms where discretely hidden away, so it didn’t stand out from all the other houses. It’s the same principle in IT, if it doesn’t look like there is anything worthwhile inside the box, why bother trying to hack in.