How valuable do you consider the knowledge in your company?
Knowledge is power! The knowledge of the company is recorded in the information system. The knowledge must be protected from theft, tampering and deletion – for years, that has been the main requirement established to the security scope. The General Data Protection Regulation (GDPR) has broadened the scope with the impact of the knowledge at the disposal of a company to natural persons. Security measures and the extent of those depend on how valuable the knowledge in the company is to the executives, or what is the extent of the risk that a leak of knowledge might cause.
At Primend, we create solutions for the people who want to make their companies more effective. That always includes the parameter of business continuity, a large part of which is the security of knowledge/data. We help to develop, manage, and increase the security of IT solutions.
Data security is a topic that cannot be overlooked in any area of life these days. Even the smallest of gadgets include some kind of sensors that measure and report. The data collected must be systematized and secured. Just like the number of devices collecting data has increased, there is also an increasing number of systems to store and systematize data and create reports. Frequently, such systems are not managed by the company itself, but they are in a cloud service, which in turn is, for instance, in Microsoft data centers. For e-mails, Exchange Online service included in Microsoft 365 is used, which in turn is closely connected to group work solution Teams and document storage SharePoint. There are various customer management solutions related to the services, which are in data centers of either Microsoft or Amazon, sometimes also in private clouds. Such a dispersed structure presents major challenges to security arrangements, from the person using the system to hard drives where the data is physically stored.
Security must be ensured in the device used by a person, in the network connection with the application server, in other related applications, databases and hard drives. Malware spread with fraudulent and phishing e-mails may impact data integrity in every node, and even by just a wrong click in a dialog box, it is possible to irrevocably destroy all the valuable data of a company, whether by deleting or partially corrupting the data, or encrypting all the data.
The best protection from cyber-attacks is well-trained employees, but complete knowledge about all topics is unfortunately an unachievable goal. Therefore, in addition to training, it is also necessary to apply technical measures. Where to start?
For cyber security, an organization must develop and formulate baseline or security standards. It is necessary to constantly assess the requirements, risks and risk management measures related to cyber security.
Where to start if you want to protect your company from cyber threats?
For cyber security, an organization must develop and formulate security standards. It is necessary to constantly assess the requirements, risks and risk management measures related to cyber security.
To develop a solution, you need to
|determine and analyze the needs of the company,|
|price and select technological solutions,|
|develop technological protective measures,|
|create an organization policy,|
|apply technological measures,|
|consistently repeat the process.|
Every item has subsections containing many activities. The measures described below comprise a baseline that each company must achieve for a secure IT system. Everything should be automated as much as possible, so that detection of leaks and attacks would work and would not depend on people. On a broad scale, there are five topics:
1) Identity – user account by which data is accessed:
- Two-factor authentication, which means that in addition to a password, another device or PIN is used.
- One identity in different applications and systems. It is required for simplification of administration and application of security policies.
- Automatic identity protection. The system analyses information based on the behavior pattern of users, and if a deviation from the usual behavior is detected, blocks the user, or requires additional measures.
2) Equipment and applications – what is used and from where:
- Managed and controlled equipment – a permitted set of applications has been assigned for a device; limitation of user activity; programs for attacks, protection, and analytics. Data encryption with a company key for protection against third parties.
- For mobile equipment, apps are protected, and the device is centrally managed. In mobile equipment, data movement is only possible between protected apps, which require separately authorized access and encryption of the device.
- Analysis of the apps used and automatic blocking of apps.
- Limitation of access, so that users can download data only into managed equipment.
- Limitation of service access based on location (e.g., permitted from EU).
3) Networks – company network:
- Authorization of access with device and user identity.
- Automatic analysis of network traffic and counter measures in the event of attacks.
4) Data – e-mails, documents, databases:
- Data classification, which data is located where, and who and uses it and how.
- Data sharing rules in and outside the organization.
- Data handling policies – backup, deletion and storage policy depending on the nature of data.
5) Administration, monitoring, and incident handling:
- Every entry into systems or applications and any changes made there shall be logged.
- System administrators shall have minimum rights they need for administration activities. Rights are issued based on request, for limited time.
- System recovery plans in case there is an incident. It must be considered how and how fast normal business operations can be restored.
Everything should be automated as much as possible, so that detection of leaks and attacks would work and would not depend on people.
This article was published in Eesti Kaubandus- ja Tööstuskoja „Teataja" in April 2022.