Site icon The Times Group Malawi

Cyber security – what and why?

Last week’s column touched on the recent reports from Gartner at their 2016 Symposium and ITxpo on Monday 16th October. A major area of concern for Chief Information officers (CIOs) in 2017 and onwards is the area of security and cyber security.

Cyber security is defined as the combination of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. With the use of internet services and the cloud growing at an exponential rate –cyber security is now a major priority for individuals and companies alike.

So how does one manage risk and avoid security disasters? Firstly, look to the IT professionals that you trust to manage your IT assets. Are they appropriately skilled to be able to protect your company from security breaches? If not, look now to get them skilled up. Training nowadays is not the challenge it was before the internet. Most vocational courses and exams are available online at modest pricing. From the CompTIA Security+ certification, to online university courses offering academic qualifications in this field, there is a course for every type of corporate.

Ignore staff skills investment at your own risk. Of course, we all know that staff with these qualifications are in high demand and likely – especially in Malawi (where I have lost several key staff over the years to large corporates – but I am not complaining) – to be poached by another company. However, there is no reason why you cannot get the relevant employee to sign an undertaking whereby, if s/he chooses to leave with the newly gained qualification, that he is expected to work a longer period of notice and/or pay back the cost of the course to your organisation.

Now, how does one assess the security risk of an organisation? The first thing that needs to be established is a baseline – usually through a process called network discovery. This requires a full and transparent assessment of the complete IT infrastructure to produce an IT asset list or inventory.

Data needs to be collated on all connected devices accessing the corporate network (do not forget mobile or personal user devices), the software in use and internet connectivity is scanned to build an inventory. Additional information is also gathered on user accounts, rights, and access policies. First risk – ensure this data is fully vetted and 100 percent accurate. And remember this must be carried out on a regular basis.

Automation must be seriously considered here on any medium to large organisation – and there are several tool and applications to do this. Consider Microsoft’s Systems Management Server functionality and use it to scan regularly for new network devices and users.

Without accurate and up to date data as above, risk assessments, at best, will be guess work. Getting these systems in place – be it a physical assessment of the infrastructure on a regular basis – will enable an efficient risk management strategy to be defined and followed.

Do not forget that security risks can also exist within the organisation, as well as from external sources. A major area to consider related to your users. Do they understand the risks involved in the day to day internet or social network interaction? If not, educate them and ensure an up to date User IT policy is in place. Look out for disgruntled employees in positions or authority. Ensure authentication processes are in place for all users. Lock out any unauthorised users.

Once you have your house in order, you can then look at external loopholes – consider soft and hard firewalls for monitoring all external traffic. A corporate anti-virus solution is an absolute must – do not stink on costs here with cheap or free individual solutions. Review your disaster recovery and failover procedures – how long does it take you to get your systems back up and running in the event of a major failure? Monitor, assess and re-check regularly – this exercise is something that needs to be done at least once a month if not more frequently. Complacency is an expensive habit in the IT environment.

Exit mobile version