As we are moving to the cloud, hosted and other managed services, we have to think about how security pertains to that. If you think back five years or even a little longer, security was a firewall because we sent email back and forth and we had to understand who was sending us what and if it was malicious. Now, with mobile devices and other technologies, the attack mechanisms have grown ten-fold.
Below is information from an article by David Lichtman, the publisher of the Sacramento Business Journal who sat down to talk with Darren Peterson, vice president of product marketing at Consolidated Communications.
We are all mobile. And the key to security is to secure against the bad guys. And yet, when your users can't get access, that's almost as troublesome. So the real dilemma there is how do we provide access and yet remove the challenges?
When we think about security for businesses, it's not just those bad guys out there. Do I have employees that are spending way too much time on Facebook? Or maybe I have marketing employees that should be on Facebook, but they shouldn't be doing any in-app purchases. Anyone in the security industry will tell you the weakest link in security is the users, because we don't control what the guy next to us opens in their attachment or what links they click on. We, as individual users, regardless of our role in a company, have to think about what we are doing and how we can educate our users.
I think the key for businesses is to assess your own internal assets. If you are a large organization, oftentimes you have more resources. If you are a smaller organization, you may need to think about not doing everything in-house because it is really hard to stay up and current with what's going on in the security marketplace from both a technology standpoint but also from an attack standpoint. So, the goal there is really to make sure we understand who-is-who and what content is acceptable, and what content is not.
You can secure your own facility really well, but if you have an application in the cloud that's got a direct connection back into your facility and that's unsecure, you have a real issue. You have a vulnerability that's real easy to exploit. I would say that the biggest challenge there and how you secure that, is making sure that you have either an internal resource or a partner that allows you to look at your entire strategy and your entire technology base and not just components of it.
As I mentioned before, five years ago security was a firewall, but today what we’re seeing in the industry is a next-generation firewall. Part of the benefit of the next-generation firewall is, by and large, most come with a subscription that ensures that you are constantly getting the freshest and newest updates, because we all know we don't have a week or two to upgrade or patch when there's an attack that's going on somewhere that's causing major disruptions.
For most IT information security professionals, they know it's not if; it's when is the next attack, and what are we going to do about it? I think with unlimited resources, you tackle both. With limited resources, you have to get into an assessment-base to understand your biggest risks and vulnerabilities.
I believe you need to find people and/or organizations that you can trust to help. Even the largest organizations have partners when it comes to security. It is making sure that you've identified the right resources. Whether those are employees, whether they are partners or, almost always, it's going to be a combination of both to solve some of those challenges. I would say the best practice is to understand what your challenges are, what your needs are, and do a real honest assessment. Oftentimes it's hard to do that honest assessment on yourself. We all have that challenge.
There are plenty of statistics out there that say that when a company has been compromised or other people's information has been compromised, that there is a substantial dollars financial impact. When a company is off-line or not able to run their business, then that too is a big challenge.
A newer risk in information security is ransomware. Ransomware is where people obtain some sort of access or some sort of information and hold the threat of either bringing the company down or withholding information until a sum of money gets paid. It’s a more sophisticated attack that would be something that the larger organizations generally need to think about a lot more than the smaller ones, but it's a threat that's out there.
Be an educated user of technology. There's some simple things - examples are keeping your applications updated. Almost always when companies are pushing updates to their applications, many updates are security-related. It's keeping current on your current versions of the subscriptions that you have that are security-based, whether that's malware, a next-generation firewall or something else.
I think the key is do your best, and don't be afraid to work with partners or others that have expertise on security and make sure you are keeping things current.
Read the full article, IT Security: Questions and Answers.