Every company may become the target of cyber-attacks, since it has value as a business and as a holder of customer databases. So cybersecurity considerations are just as important as management ones. As information technology infrastructure of the company develops, the efficiency of IT security management should be considered.
A study of attitudes toward information risk shows that 24 per cent of IT specialists are concerned about the growing complexity of IT infrastructures and see this trend as a threat to security. In their opinion, the more complex the infrastructure, the more difficult it is to manage, and the more opportunities there are for cybercriminals to breach the perimeter of the corporate network.
The growing complexity of IT infrastructure
As a company grows, its corporate IT infrastructure expands accordingly as new elements are incorporated. For example, mobile technologies that enable employees to work remotely make a business more flexible, but place a significant additional burden on the infrastructure.
As a result of new implementations, the more elements there are in an information system, the more vulnerabilities there will be.
Therefore as business processes become more complex, the management of the IT infrastructure must adapt to include security tools.
Kaspersky Lab estimates that an IT specialist at a small or medium-sized business is typically so busy with routine tasks and requests that they can dedicate no more than 15 minutes a week to managing information security. In the absence of a systematic approach to security, it is only a matter of time before an incident occurs that can take days to mitigate.
So how do you start to work systematically?
Firstly, you need to choose a reliable and comprehensive security solution that will make it easier to protect your IT infrastructure and the needs of your business. The right security solution will offer tools that include device security for different operating systems, traffic filtration, and software updates.
Secondly, once the solution is in place, you can start to work with specialists. The more complex the infrastructure, the higher the degree of expertise required to manage the security. You will need appropriately-skilled specialists on the team to service your information system or a third-party partner with deep IT expertise who will be able to help in an emergency. And, importantly, you should always have a plan in place to react to emergencies.
Managing IT infrastructure
There are two options when it comes to managing IT infrastructure.
The first is to manage everything in-house – some IT professionals believe that this is the only way business processes can be fully automated and security properly ensured. But it’s important to stress here that if you decide to manage your IT by yourself, there will always be hired costs involved. Many businesses end up employing a team of highly specialised IT experts to manage their infrastructure on a daily basis and carry out risk and modification management.
The other option is to delegate the work to a contractor. External IT management professionals can often perform the task much better but employing them directly may be expensive. Both options can be equally effective, depending on the nature of the business.
For example, a private car dealership may prefer to outsource most of its IT infrastructure to a third party and maintain a small set-up for day-to-day operations. In this case, it would be too expensive to manage the entire infrastructure in house, while third-party management party could offer advantageous commercial terms and high quality expertise. A commercial bank, for example, will have the opposite situation with its diverse IT network which need tight control.
Information security for proprietary IT infrastructure
If you choose to own your IT infrastructure, make sure you have a team of specialists capable of maintaining smooth operations. This can be either your own staff or an outsourced team assigned to the task. Ensure that they develop an infrastructure security plan that includes answers to the following questions:
- How will access to corporate computers be protected?
- Will data be encrypted?
- If an employee leaves the company, how will his/her account be disabled?
- How will communication channels and virtual workstations be protected?
- Is it possible to protect employee mobile devices in such a way that sensitive data does not fall into a cybercriminal’s hands if a device is lost or stolen?
Once you know the answers to these questions, you can be certain that your corporate IT system is securely protected.
Information security for outsourced IT infrastructure
Before you decide which company to outsource your infrastructure to, check its security protocols and the results of previous projects. Then, just like above, ask the potential contractor several questions concerning IT security:
- What IT security tools does the contractor use to protect infrastructure?
- Is it possible to remotely monitor the status of the network?
- How will the protection of communication channels be arranged?
- How are data backup procedures arranged?
- How is data restored from backup copies?
- How is storage protected – for both basic and backup data?
- How will IT security training be provided to your company’s employees? This point is especially important to prevent cyberattacks that use social engineering as a method of intrusion.
In addition, if you have at least one position for an IT consultant on your staff, this consultant will be able to speak the same technical language as the contractor, and help address technical issues much faster. The potential answers to these questions will help you understand whether the contractor is ready to ensure both the effective performance of your infrastructure and the protection of your data from cybercriminals.
Your IT infrastructure powers your organisation. New technologies and trends such as mobility, big data, bring your own device, the cloud and customer-focus give benefits, but at the same time place pressure on your systems. Each new development will introduce new security vulnerabilities that need to be addressed. If you take control of your IT infrastructure security today, you will be ready for tomorrow.
Words: Konstantin Voronkov, head of Endpoint Product Management at Kaspersky Lab