A guide to developing a holistic IT security strategy

Feb. 20, 2020
Many American companies record at least one IT security incident per week - What can companies do?

Cybersecurity incidents pose an increasing threat to companies. In extreme cases, they can even threaten their existence. It is therefore essential to recognize the danger, prepare and act accordingly. OTRS Group recently conducted a survey of 280 IT professionals worldwide[1]. A key finding was that the majority (61 percent) of all respondents say they deal with security incidents on a weekly or more frequent basis. This is a frightening result and it seems that only a few incidents are reported at all.

In assessing how prevalent cyberattacks are for companies, 18 percent of respondents rated the security risk as very high. Half (50 percent) even stated that their company had suffered financial losses due to security incidents. Opinions differed as to whether the incidents were handled optimally: Almost half (49 percent) say that everything worked well, while the other half (49 percent) believe there is a lot of potential for improvement.

The survey results show once again the danger that can be caused by security attacks. What can companies do? Develop a clear security strategy so that all people responsible for mitigating a risk act quickly and correctly in the event of an incident, keeping damage to a minimum.

As a security expert for OTRS Group, I would like to give the following advice:

Begin Pragmatically

Most large companies already have defined processes and cyber defense teams in place. Many small and medium-sized companies do not yet have a security process and have yet to work out their strategies. Often, too complex processes act as a deterrent to use: It is, therefore, advisable to start small. Implementing a reporting office for security-related incidents is a good start. It is also a good idea to appoint a dedicated contact person (or team) who is responsible for security-related incidents and is trained on security issues.

Clear Definition of Security Processes - Regardless of Company Size

All companies - regardless of their size and including freelancers - should create clear processes and defined responsibilities for dealing with security-relevant events. The following questions should always be taken into consideration: When does a security incident become defined as an attack? When exactly does it have to be reported? Which data or processes must be particularly protected? How high can the potential damage be? Who must or may be informed about an incident? In what order and in what time frame must communication take place?

When developing processes, the important topic of reporting incidents to authorities and individuals should always be kept in mind. Clear quick incident reporting is an important element of many data-related laws, such as the European Union's GDPR which states that data breaches and losses of personal data must be reported to the responsible supervisory authority within 72 hours; California's Data Breach Notification Law that requires reporting to both authorities and individuals about the status of the breach; and Brazil's General Data Protection Law (LGPD) that stipulates reporting must be done within a reasonable amount of time. Once the processes have been established, this notification can be completed quickly, so that no unpleasant fines must be paid.

Do Not Hesitate to Call in Experienced Experts

In addition to basic data protection regulations, operators in critical infrastructures sectors are subject to further legal regulations regarding data protection and IT security processes. Companies do not always have the time to check on the relevancy of all possible regulations. For this reason, they should not hesitate to call in experienced external experts or work with the Department of Homeland Security's Protective Security Coordination Division to identify and fix vulnerabilities.

Additionally, relying on guidelines or recognized standards, such as ISO/IEC series 27000, can help protect critical systems. Another example is a proven information classification standard that helps to create a security process called TLP (Traffic Light Protocol). Here, information is color-coded to indicate whether data may be passed on (and if so, to whom).

View Security as a Holistic Task and Record Processes Centrally

It is not unusual for me to find that the Corporate Security Officer and the Chief Information Security Officer have not worked together. This leads to delays, errors and misunderstandings. Therefore, my advice is to consider security as a holistic service: This service includes corporate security and cybersecurity, as well as any team responsible for privacy incidents, compliance violations and travel security. If, for example, an employee forgets his work mobile phone on the train during a business trip, all departments must be informed. People who otherwise work independently or in different teams must know how to pull together in a situation like this.

In order to ensure that all processes run smoothly and to document security events transparently, automated and specialized systems. They act as the technical backbone of the IT security processes, support communication on an incident and store it in an audit-proof manner. They make it possible to define specific processes for the threat scenarios, grant users role-based approvals and enable encrypted communication between clearly authenticated users.

With automated systems, the error rate is low. Mapping all these processes manually can be a big challenge and risks having a high error rate. In addition, working with a dedicated system allows for fast reactions at each step: The incident is reported quickly, emergency measures are initiated, management is informed, and necessary teams can get involved. The PR team can work on any external communication that may be necessary.

IT Security is a Continuous Process That Needs to be Constantly Adapted

IT security processes are becoming an everyday part of business operations. Therefore, once they have been designed, work is not over. Remember that regulations, processes and requirements can always change. A company is also subject to constant change. That is why security processes should always be questioned, evaluated and adapted. I also recommend constantly improving the know-how of specialist staff members and setting up your own IT security teams. Networking and engaging in constant dialogue with security managers in other businesses or industries are very helpful in this respect. There are numerous platforms and events for this, such as the It-sa in Nuremberg, the FIRST Conference in Edinburgh, the RSA Conference in San Francisco or Black Hat USA in Las Vegas.

With these tips, companies can take big steps toward IT security and can face possible attacks with more composure.

About the Author: Jens Bothe is the Director of Global Consulting for OTRS AG and is responsible for advising our customers. With his team, he ensures that customers in any industry can use OTRS optimally. Jens Bothe has been with OTRS AG for over 12 years and has more than 15 years of experience with the software.

As director of global consulting for the OTRS Group, he offers comprehensive leadership and project experience. Structure, planning and setup of data centers; network design and monitoring; installation and administration of UNIX/Linux systems; and the creation of Unix-shell scripts for the maintenance of systems round out his profile.

Reference[1] The survey was conducted online via Pollfish in September 2019 among 280 IT managers in Germany, USA and Brazil (80 respondents in Germany, 100 respondents in the USA, 100 respondents in Brazil)