3 Simple Tips to Close Security Gaps in Your Organization

IT security is a complex issue. With the ever-increasing use of mobile devices and new technologies required for digital transformation, traditional boundaries and their risks are becoming blurred. In this article, you’ll find three simple tips which can be quickly implemented, and which have a significant impact on closing security gaps for any sized business.

Star Wars mug on the author's desk

“The more you tighten your grip, Tarkin….” Our author is a self-confessed Star Wars fan.

Companies are highly integrated with various networks, must provide their employees with up-to-date technology, devices and applications and always remain one step ahead of developments. Now more than ever, it’s the responsibility of IT admins to also ensure legal requirements are fully met. When you add it all up, it’s a truly galactic task.

The aim of this article is not to reel off common IT security recommendations or to present auditing strategies. Neither is it intended to join the many IT security providers offering solutions to constructed problems created by exaggerated risk assessments and distracting your focus from the actual dangers.

Instead, this article aims to give you ideas on how to identify steps which can be taken today to reduce systemic IT security gaps which allow you to make significant progress with very little effort and cost.

1. Employee Security Risk: Try Sensitization Instead of a Heavy Hand

Remember that scene in Star Wars: A New Hope? A defiant Leia Organa builds herself up in front of the dark Grand Moff Tarkin and says, “The more you tighten your grip, Tarkin, the more star systems will slip through your fingers”. An eerily precise description of the results of heavy-handed IT security measures.

And just as the defenseless Princess Leia’s home planet fades away in a cloud of fire and debris in the sights of the Empire’s flawless superweapon, so too does employee trust, productivity and willingness to cooperate when heavy-handed IT security policies are put in place. And not without consequences – what happens with the Death Star is well known. Inspired by the brutality of the Empire, a small group of rebels turn the Empire’s control tool into stardust…

It’s not good when IT admins brand the threatened as a threat and use their own valuable resources against their closest ally. Phishng and social engineering are among the biggest risks facing companies. Counterfeit instructions emailed to unsuspecting employees, where cyber criminals pretend to be their superiors and request funds to be transferred to their own accounts, have already been responsible for losses running into millions.

This type of cyberattack is often far more lucrative than traditional hacking, yet inexplicably, some in IT still believe that a firewall, virus scanner, and password offer significantly more protection than discussing with employees what can be done better, together, to counter these threats.

If the end user becomes the final opponent for IT admins, then the next security measure is not the Elysium of Security, but probably the bitter realization sooner or later that overly-enslaved employees become highly imaginative when it comes to creating unsanctioned parallel structures and workarounds that nobody has any control over.

Steps to take: No matter how sophisticated your IT system may be – as long as your workforce isn’t aware of the dangers posed by cyberattacks, it opens the door to potential attackers. So, before you invest any more hard-earned money in a shiny new security concept, set up a simple training course that shows employees how to recognize a fake email or website. Take a moment to consider how a planned security measure could help an employee make his or her work processes more secure (and also less complex!). Also, sit down and talk with your end users who are affected by these plans.

2. Check IT Complexity: What Was this Firewall Rule Again For?

Constantly increasing your IT complexity actually often backfires. Administrators face the challenge of maintaining process control and avoiding performance constraints. According to a recent study by dynatrace, IT teams are spending 30% of their time on just fixing performance problems.

In order not to lose track, documentation is highly important. Any changes made to your IT infrastructure should be fully documented and kept in a secure place (i.e. don’t save documented server changes on that server). But documentation also has its limits. If too many infrastructure components are recorded, it can quickly become time-consuming, confusing and the structures are difficult to understand, especially for colleagues standing in for others.

Infrastructure consolidation should also be regularly assessed. Can certain services be provided with one rather than two products? Do we really need the second firewall, or can the first one be modified, (maybe some product training would be helpful) and fully reach its potential?

If you work in a small or medium-sized business that doesn’t have a dedicated IT security team, simplicity should be your primary goal. Keep your environment simple – fewer servers, shorter distances, deeper expertise and better insight into the components you use.

Get trained wisely – not just for your career or the certificates. Get trained in such a way that you feel fully fit and are able to understand and explain your security concept (both technically and conceptually).

Steps to take: Turn off a server or service today that you no longer need. For areas where you feel unsure, look for training opportunities and eliminate your knowledge gaps.

3. Legacy IT: Insane in the Mainframe

Legacy systems and inflexible infrastructure components occur in some form or other in nearly every business. There is rarely a valid excuse for these legacy systems – they are often no longer updatable or even allowed to be renewed. You should actually feel guilty if you have been dragging these systems along with you for a longer time, but more importantly take a moment to question your reasons for doing so.

IT security is a fast-moving and dynamic area of business. Every component or system that is static and unchangeable doesn’t fit into this concept and needs to be replaced sooner or later. However, it’s inexcusable to not replace legacy devices or systems for cost reasons. Think about what could happen if the system failed tomorrow. What if the data on this system were to end up in the wrong hands by the end of the day? Can you really quantify the potential damage? You should also be thinking about the big picture – what opportunities is your business passing up on by using these old devices and systems?

Steps to take: If a legacy system or device you have in place has come into your mind, take a moment to list the reasons why you need to keep that system or device and bear in mind the questions in the previous paragraph. Are the reasons for keeping that old system or device really that important?

Conclusion

I hope that these three simple tips help you identify security vulnerabilities that are often not highlighted in the marketing brochures of expensive IT security solutions. Fear is used far too often to gain headlines and while aggressive sensitization is in some cases justified, we’re often distracted from the fact that the most dangerous security gaps are often not unlikely attack scenarios on servers but are those which are created by our own security concepts. The good news is that are own concepts can be easily improved.

So, I hope it is clearer now that IT security is not a unitary goal that is achieved once and for all, but a continuous journey that is far easier to accomplish if embarked on hand-in-hand with your colleagues, a clear timetable and without any heavy legacy baggage. And in that sense, may the force be with you.

Comments are closed.