15/09/2015
What do the German Parliament, a high school and a marital affair site have in common?
They are all recent victims of a successful hack and suffered a loss of sensitive data. To prevent this from happening to you, you cannot simply rely on the latest technology and hope to secure vulnerabilities in time. What you really need is a holistic IT security strategy. Bernhard Weber, IT security expert at msg, explains the five key steps companies need to take to ensure a sound approach to their security concept design.
- Analysis: To begin with, all of a company’s critical data and systems must be identified in order to determine what needs to be protected to meet the goals of information security (confidentiality, integrity, availability). It is especially important to involve data owners in this process, as they are the only ones who can assess the maximum damage that could be incurred should these aspects be breached. Recognition of data protection relevance is also crucial in this phase.
- Risk assessment: Next, the risk of the current state is assessed. During this step, the “potential maximum damage” is compared to the “probability that a risk will occur”. One example might be: What would be the consequence if the confidentiality of certain data was breached? How probable is the occurrence of that threat? This produces the “assessed risk”.
- Security requirements: The risk assessment indicates the areas with the most urgent risk aspects. Those aspects must then be compared to the company’s own internal compliance and security requirements, as well as with any statutory requirements and best practices. The primary goal of doing so is to identify relevant security requirements and to anchor them in the security concept. Large companies often use requirement catalogs as a guideline for their IT security. If one is not already in place, there is also an option to base the concept on common security standards, such as ISO/IEC 27001 or ISO 27001 for basic protection.
- Measures: The information about the risks and security requirements collected up to this point are now used to draft possible measures to meet them. Any measures defined here must be coordinated in full with the system owners and architects to ensure that a security architecture is created that serves the intended purpose, but does not produce “no-go” criteria for usability, performance, etc.
- Residual risks: Before actually implementing the security measures, they must be reviewed to determine and decide whether the cost/benefit ratio is proportionate and if any residual risks are acceptable. If, for example, implementing a security measure would be more expensive than the maximum damage that could be incurred, management tends to see the residual risk as acceptable and chooses that option.
By creating suitable security concepts, companies are taking a key step toward the individual safeguarding of company data, processes and infrastructure. Sound documentation and sustainable support processes help align the concept with the company’s unique features and achieve continuous improvement - keyword “CIP”. After all, the security concept is not simply a document you put on a shelf to collect dust, but is a tool that is continuously developed and, ideally, is considered an integral part of the corporate culture.
The data security risk in foreign countries is high, but can be significantly reduced by taking a few simple steps / Tips for employees
When traveling for business your data is exposed to numerous risks: Loss or manipulation of end devices, unsecured W-LAN connections or inattentive employees are just a few examples. However, taking the right precautions can help you control these risks.
Data security tends to take a back seat when in the midst of planning a trip abroad. Yet, there are so many risk scenarios that special security measures simply have to be taken. Not just when traveling to a high-risk country where data espionage is an everyday event either. Even brief lapses in attentiveness or simply using a device in the manner you are accustomed to “back home” can unintentionally expose data to risks. Thus, it is not only companies that need to take preventative measures, but employees themselves can also minimize risks considerably by being mindful of their actions.
What Employees Can Do
A company’s best intentions are of no avail if employees do not follow certain rules of conduct. Taking the following measures to heart can help ensure that the next trip abroad does not end in disaster.
- Concealed Entry of Passwords. The same rule that applies to entering a pin at an ATM also applies for passwords: Their entry should always be concealed. Otherwise, other people or hidden cameras may be able to track or record their entry.
- Never Lend End Devices or Leave them Unattended. An end device containing sensitive data should never leave your possession - not even in alleged cases of emergency. Hotel rooms or hotel room safes should not be considered secure either. Doing so poses the risk of someone else accessing the device and manipulating it or tapping into its data.
- Never Use Unencrypted or Unfamiliar WLANs. Anyone who uses an inadequately secured WLAN when traveling runs the risk of having their data stolen. Larger chain hotels can be considered somewhat trustworthy, as their WLAN infrastructures tend to be operated by well-known, reliable providers - however, care should be taken in smaller hotels or in coffee houses and restaurants. When in doubt, the general rule of thumb is to assume that the unknown WLAN is transmitting its data unencrypted or is not adequately secured.
- Caution when Using External USB Devices. USB sticks or devices that can be connected to one’s own end device may be compromised or may contain malware. This applies for both devices that are assumed safe, such as keyboards or chargers that are made available to travelers, as well as so-called USB gadgets such as ventilators, coffee cup warmers, etc.
- Only Use Your Own End Devices. A colleague’s kind offer to let you use their end device to access important websites, content or services should be politely refused. A keylogger might be recording the login data or the device might be contaminated with malware.
“Time and again we see business people and managers taking a haphazard approach to data security when heading abroad, even if they access critical data on a regular basis or are heading to a country where data security is questionable,” Mark-W. Schmidt, Head of msg Information Security, has come to realize. “Furthermore, the loss potential is often underestimated. To ensure business travelers take these tips to heart and avoid dangerous usage behavior when abroad, we recommend companies offer training courses to create awareness among their employees as to which risks they are exposed to and how best to avoid them.”