Things to keep in mind when talking about IT Security
Many IT Service Providers try to obfuscate when it comes to how much their solutions will actually help you. The only secure computer is one which is turned off – that is what 100% security is. Any other system will be at risk, either through existing vulnerabilities or new (‘Zero Day’) ones.
Given the above compromise, starting a discussion about acceptable risk is is central to success – what can you afford to lose, and what can you never afford to lose. We call this ‘wargaming’ – thinking about a conflict situation where a cybercriminal has attacked or is trying to attack your organisation.
This exercise is very helpful for Patch Management – considering whether updating or upgrading software is within the acceptable range of risk that your organisation will allow.
The reason we advise focusing your IT Security investments on Endpoints and E-mail is because most cyberattacks will target these. Any network-connected device is an Endpoint so this covers the majority of your estate, and E-mail is the primary means of communication across businesses.
It is simply the case that in the event a state-sponsored cyberattack were to hit any organisation there is a high likelihood that it would succeed or at least do damage – think of the SolarWinds breach that was several years in the making, affecting almost every NATO member.
What comprehensive IT Security looks like
A risk-based approach is not a blasé one
Taking a risk-based approach does not necessarily mean not caring about it – in fact it means taking the effort to classify risks and then order them in accordance with priority.
For example if a single email address in a one-hundred person company is hacked, but re-secured quickly that is an acceptable risk that one would hope does not happen too often. If however all of the accounts are hacked, it means your E-mail system is not structurally sound.
Likewise a laptop could be stolen, but given it is encrypted the data would be secure and so would mean the loss of kit – not of the more valuable data on it. If however a device was not encrypted and could not be remotely-wiped this suggests a possible databreach, and the Information Commissioner’s Office would have to be informed.
Accepting risk, mitigating where and how you are at risk, and investing in Endpoint and E-mail Security are the fundamentals to sound IT Security.