[BreachExchange] Why IT support and security are not the same thing

Audrey McNeil audrey at riskbasedsecurity.com
Fri Sep 16 15:07:22 EDT 2016


http://www.bizjournals.com/bizjournals/how-to/technology/
2016/09/why-it-support-and-security-are-not-the-same-thing.html

After 25 years in the information technology (IT) industry, you start to
see some trends.

One of the most troubling patterns I’ve noticed recently is that many
business owners equate IT support with network security; they believe that
because someone is managing their infrastructure, they are largely
protected from any breach or significant data loss.

While I understand the cause of this mindset (inflated promises from the IT
industry itself are at least partly to blame), the false sense of security
becomes increasingly dangerous as cyberattacks continue to evolve in the
worst sort of way.

Security elements covered by standard IT support

With your basic network management — whether it’s in-house or outsourced —
you’ll get a certain level of protection. This usually includes:

• Patching for your servers and workstations to eliminate vulnerabilities
• Anti-virus, anti-spyware, and anti-malware to prevent infection
• A spam filter to catch most shady emails
• An updated firewall to protect from threats from the web
• A strong password policy
• Restricting data to only the people who need it
• File/server backup of some sort

All of these elements are a fantastic start — and critical to the overall
health of your infrastructure — but they aren’t enough to keep you truly
secure.

Security elements NOT covered by standard IT support

If IT support is all you’re relying on, you’re likely not properly
addressing:

• Business continuity planning(beyond pure disaster recovery)
• Intrusion detection and response planning
• Policies including employee separation, equipment use, mobile device use,
etc.
• Any encryption needs (hardware, email, etc.)
• Any compliance requirements
• The kicker: employee training

What’s more is that these elements can completely undercut any technology
controls you’ve implemented.

A well-intentioned but uneducated employee could very easily, for example,
choose to download an unexpected attachment labeled “invoice.exe” and
suddenly infect your network with ransomware. And if your team then doesn’t
know how to properly respond to the infection, you’re only giving it more
time to spread to every corner of your network, and possibly to your only
hope for recovery: your backups.

Most IT resources will be able to provide you with direction regarding some
or all of these elements, but it’s going to take a commitment of time from
your leadership and your staff as a whole, and an investment beyond what it
takes to keep your technology running.

How to break the cycle

If your business sticks to the paradigm that regular network management in
itself is keeping your data safe, you risk finding out the hard way that
this isn’t actually the case.

One way to make sure you’re forced to accept “IT” and “security” as
separate entities is to create a dedicated budget line item for each. This
way you are quite literally drawing a distinction between the two, and can
properly allocate funds to each initiative.

Beyond that, make sure you’re working with a partner that understands the
severity of the issue at hand, and can help guide your business forward
safely and thoughtfully.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160916/cd14b2fd/attachment.html>


More information about the BreachExchange mailing list