Important IT Security Requirements For Business Leaders (£)
The implementation of cyber security skills and IT security departments have significantly increased in the last eighteen months and it has become an important issue that business directors and especially CEOs, Financial Directors and of course CIOs and IT Directors need to fully understand.
One of the most important applications is the use of Penetration Tests, which help to understand the issues and vulnerabilities that the current IT systems have within an organisation and the connections and effectiveness of Cloud systems and the uses of BYOD (Bring Your Own Device). The objective of Penetration Systems is to comprehend the areas of weakness within your IT systems.
The issue that this process has raised is the lack of IT security skill talent and professionals that are available to most organisations. There is a real professional skills gap that needs filling and this is affecting most businesses currently but this information is not getting through to the Board as many IT departments do not want the potential disruption that this process would cause. IT Security jobs within most organisations are not being hired from outside but they are moving some of their internal staff into the roles without giving them the required and on-going IT security training.
When you IT security is hiring people for the business – are they intending to use and are they using Penetration Testing and are they ensuring their staff have a comprehensive and on-going training program that will help to ensure the IT security?
Every quarter the Board should be given a clear Report and Presentation of the IT security that is being undertaken within and around your organisation – ensuring the internal systems, the BYOD network and security requirements are being followed and improved upon.
The Penetration Test should be similar to the Financial Audit and it should, unlike the FT audit, not be set at a particular time of the year – it should be undertaken at random times that do not necessarily fit with the IT schedule and it should not be agreed with the IT departments but should be authorised by the CEO. It should go deeply into the current IT systems and the links to outside elements and completely understand the weaknesses and links that have or could be used to enter and break into the IT systems.
The people doing the testing must have an IT security background and be very up-to-date in their comprehension and understanding the current IT security issues and how to overcome them and improve the security internally.
A full map and comprehensive explanation of the systems should be securely kept and continually added and improved upon. This map should be used to explain and engage the Board so that they have a clear understanding and comprehension of the systems of issues that might affect them and what would be done if a security Hack and successful attack takes place.
It’s not just data and documents that can leak sensitive information about your business and customers. Many times human interaction is the culprit of some very damaging security breaches. Social engineering is an industry term when a fraudster uses relationship knowledge to gain access to information that would be otherwise unavailable.
Once again clear communication to your employees about what kind of information, if any, should be provided to outsiders without proper verification or permission, this could be reporters, competitors, salesmen or just criminals trying to steal from you.
The most important, and easiest, mitigation for this vulnerability is to communicate and enforce strong password practices with the applications you own. In many cases systems should require password resets every few months and at different times - this keeps fraudsters guessing.