Despite a steadily increasing risk landscape, many organisations continue to struggle to fully address information security vulnerabilities within their IT infrastructure. Many companies have outdated IT environments that have evolved through the addition of more and more systems, leading to an architecture that can become very difficult to navigate and protect. When security incidents, government enquiries and compliance violations arise, a poorly managed data environment can become a significant problem.
Conversely, organisations that have a sophisticated IT environment are more secure, resilient during regulatory investigations and achieve greater cost savings.
The following nine tips will help organizations strengthen their IT infrastructure, so they are well prepared for legal and regulatory matters and able to react quickly in the event of an incident and, if necessary, restore critical systems quickly.
#1 Prioritise information security
IT security is first and foremost a critical business issue that requires buy-in from senior leaders. Without their endorsement, it will be challenge to influence change and secure the budget necessary to implement meaningful IT security measures. First determine the company's position and build a business case that demonstrates the strategic value IT security provides, including that it serves as a prerequisite for digital transformation. The type of protection, prevention and response measures needed will depend on:
- The organisation’s risk appetite. Would the business survive if it had to shut down for a month? What happens if all data is lost due to a security or disaster incident? Can the business start all over again?
- The industry: Various industries are subject to compliance rules to protect customer and employee data and meet other obligations. These requirements must be taken into account when establishing security controls.
#2 Train employees
Security must also be supported via training, awareness and corporate communications. Draw attention to IT security issues in internal newsletters. Educate new employees on the company values during onboarding. Conduct regular campaigns and training.
Train employees so that everyone is pulling in the same direction, as security will only be as strong as its weakest link. For example, if employees use easy-to-guess passwords or don't change the default password on software, attackers have an easier time.
#3 Maintain data backups
No matter how secure, an organisation cannot protect against everything. Therefore, backups maintained in a separate location from the primary systems are critical. This will ensure that data and systems can be restored even if large systems are shut down or large volumes of data are lost.
#4 Regularly analyse vulnerabilities
The network must be kept up-to-date. For example, the use of personal devices have become commonplace in most organisations as a result of the rapid shift to remote work at the start of the pandemic. This opened the door to an array of new risks.
Therefore, security awareness must be developed. For example, application and systems are examined for vulnerabilities in penetration tests. IT teams must maintain a budget to conduct regular tests.
#5 Take countermeasures and identify risks
Once vulnerabilities become known, they must be assessed. Not all are equally important or addressable. For important IT structures, take countermeasures. All others need contingency plans, which IT staff must be aware of.
#6 Conduct fire drills
How long does it take to reset a system? How will downtime be handled? All potential crisis and incident scenarios should be run as real-life exercises, not just in theory, to test the incident response plan.
#7 Regulate permissions
Identity management is an essential pillar in a robust IT security programme. Each user should only have as many licenses as they need. Avoid high-profile accounts that have too many permissions. This becomes more important in moving to the cloud, as it opens up new vectors for information to spread or become exposed. Systems should be designed to automatically revoke rights when employees leave the company or change positions.
#8 Encryption should become the norm
To prevent information leakage, emails, for example, should be sent in encrypted form. This also applies to internal emails. If data is transferred to a data carrier, it should also be encrypted.
Because bulletproof IT security does not exist and systems, applications, countermeasures and detection measures must constantly evolve. Therefore, an essential component of maintaining IT security is monitoring of internal systems, networks and processes, so it is possible to quickly distinguish the normal state from suspicious or red flag activity.
The field of IT infrastructure security is vast. Organisations can start with one step and gradually improve the environment’s resilience. This will support attainable, sustainable success over the long term. In case of doubt or damage, consult external advisors. IT infrastructure security starts with the boardroom and ends with every single employee, network, system and application.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.