Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
AUGUST - 20239 control, patching, hardening, MS Office macro settings, restricting admin privileges, patching operating systems, configuring Multi-Factor Authentication, and backup data.Other technology essentials are ­ endpoint protection (EPP), network firewalls, secure email gateway (SEG), and virtual private networks (VPN) with remote access management. Disaster Recovery (DR) configuration, strategy and procedure, and well-planned backup strategy are other strong points for businesses, especially with noticeable on-premises IT assets.In terms of processes, it is vital to formalise IT Security policies, work procedures and guidelines. This will require respective user education, which focuses on People's IT Security awareness training, ideally with tests and simulations. Approval of IT Security policies by the CEO will also engage executive leadership support and get more compliance from all users.It is hard to imagine any medium-sized business surviving in the modern threat landscape without having these essential controls implemented. Even if some of them are not in place or don't cover 100 per cent of IT assets and users, it is a matter of time before a cybersecurity incident happens. Recommended controlsBesides essentials, it is also recommended to invest in Data Leak Prevention (DLP), Secure Web-gateway (SWG), Cloud Access Security broker (CASB), and Vulnerability Management (VM) control. Processes could benefit from formalised Incident Response (IR) plan, periodic IT Security penetration tests, and third-party security assessments. Access to a professional Virtual Chief Information Security Manager (vCISO) is also a prudent measure.These controls help to address more sophisticated threats or decrease the severity of incidents if they happen.Advanced controlsIf the business has a high-value and low-risk tolerance, more advanced IT Security controls would include Security Information and Event Management (SIEM), Managed Detection and Response (MDR) delivered by a Managed Security Services provider (MSSP), Encryption of data at rest, and Cloud Access Posture Management (CAPM), especially for cloud-hosted IT Assets. An independent IT Security assessment conducted by a professional assessor could help highlight weak spots or define an IT Security strategy. Businesses can assess their IT Security posture against the most adopted Cyber Security frameworks, like ISO 27001 standard (Information Security Management System) or the National Institute of Standards and Technology (NIST - US department of commerce).Suppose a business invests in the development of its own business applications or strongly depends on e-commerce operations. In that case, these assets should be respectively covered by their own Application and Web-sites security controls. However, these aspects are outside of the scope of this article.ConclusionAs the closing remarks, IT Security is not a point-in-time static state but a journey, constantly reviewing all the threats mentioned above, controls, and challenges. Once implemented, many of these controls require daily, monthly, quarterly, or annual operations, maintenance, and review. Delivered either by in-house staff or outsourced to contracted MSSP, IT Security is an aspect of survival for many modern businesses, and this trend is only increasing.The adversaries need to succeed only once out of endless attempts, while security measures should always be on top of all threats. And as every business user now uses technologies, IT Security is everyone's responsibility.Stay safe! THE ADVERSARIES NEED TO SUCCEED ONLY ONCE OUT OF ENDLESS ATTEMPTS, WHILE SECURITY MEASURES SHOULD ALWAYS BE ON TOP OF ALL THREATS
< Page 8 | Page 10 >