As IT security evolves, employees must be kept in the loop about how to keep themselves and their organisations secure, says Joel Dolisy, CIO, SolarWinds
As the Internet of Things continues to grow, protecting the country’s economy, interests and infrastructure from cyber-threats has never been more important. Connected devices are opening up a wealth of opportunities for cyber-criminals to target government and public sector organisations, increasing the likelihood of data breaches or malicious attacks and even cyber-terrorism – the consequences of which could put national security at risk.
In order to help combat these threats, late last year law enforcement agencies from around the world took part in an international exercise to test how they would work together in the event of a large-scale cyber-attack. The exercise was called Silver Shadow, and was run by the UK’s National Crime Agency (NCA). Specialists from across Europe were challenged using Serco’s cyber exercising capability – cybX – which simulates a cyber-attack. It provided private and public sector organisations with the ability to see how they would prepare and respond to serious cyber-attacks.
The exercise encompassed a mix of scenarios, which challenged the ability of management and IT staff to identify and end a cyber-attack. The activity not only showed organisations how important it is to always be prepared for such an event, it also highlighted that in order for public sector organisations to secure themselves once a breach has happened they must communicate with their supply chain, customers and other stakeholders, including law enforcement, to ensure all bases are covered.
It is hugely important to ensure employees responsible for protecting public sector organisations from a breach have the skillset and the training to deal with a high-impact cyber-attack. But it’s equally important for the most up-to-date technology to already be in place. Even a team with an incredibly strong skillset won’t be able to defend against a cyber-attack without the right technological assistance. Furthermore, it’s important for the IT team to educate other employees about the importance of cyber-security and what they can do to help if the worst should happen.
The Silver Shadow exercise taught many IT managers that they should always be prepared and have an overview of what is going on within the network, which is a difficult task without the right tools. The IT department is often stretched, and in many cases network configuration is being carried out quickly, as opposed to accurately, by IT pros and leading to employees making unofficial and inaccurate network changes. One way IT pros should be looking to combat this in public sector and government organisations is by automating the network configuration process so the procedure can be carried out much more efficiently.
A recent survey from SolarWinds showed that 39% of organisations feel less vulnerable than a year ago, and the reason for this is improved patch management and the implementation of alerting tools. Automating the process means there can be scheduled network configuration backups and bulk change deployment for thousands of devices, all with minimal input from the IT pro and limiting concerns over insider threats.
Another tip is to block unauthorised devices from accessing the network by creating a policy which allows the team to track and monitor devices, switches and ports. To ensure maximum security, the IT pro can develop a “whitelist” of all the devices which are allowed access the network and set up notifications if a suspect device attempts to gain access.
Investing in a solution that can automatically monitor the network for any anomalies and alert administrators of any potential breaches, data leaks, unauthorised users or suspicious activity will give IT pros a better overview of what is going on in the network.
When dealing with sensitive data in public sector environments, it’s important that staff understand how vital security is. It seems simple, but many don’t understand the security risks associated with accessing unsafe websites, storing and accessing data via unsecure cloud services, using weak passwords and not properly encrypting sensitive information. One way of addressing this is for the IT pro to implement technical controls to limit user permissions, but this alone isn’t enough. It’s more effective to combine technical controls with employee education.
As IT security evolves, it’s important that employees are regularly kept in the loop about how best to keep themselves and the business secure. Human error can have a devastating effect when it comes to cyber-security so it’s vital that sufficient training is provided on the subject. IT and HR departments need to work closely together to develop in-depth, easy to understand training programmes, so employees can directly learn about breaches and their potential impact – and also become aware of their own personal IT security.
It’s great to see activities like Silver Shadow taking place and putting security back at the top of the agenda. But, according to the Online Trust Alliance, 90 per cent of data breaches that occur could have been prevented if the organisation had been prepared – by having the right technology in place and rolling out education campaigns for employees so hackers can’t access the network from the inside.
Technology and people complement each other best when they share the same priorities. Focusing on security means that when a cyber-attack becomes a realistic threat, the right protocols are in place to fend off the attacker.