Our "House of IT Security" has five pillars and a solid foundation.
The basis: everyday behavior
It seems common sense that IT security is ultimately based on conscientious behavior, but very often reality looks different. To do better, employees need to know the risks and how they can minimize them. If the workforce doesn’t pay enough attention to sensitive documents, hardware and passwords, the company will probably first have to draw attention to the problem and invest in knowledge – for example with an awareness campaign and training. In addition, a mechanism to reinforce conscious behavior in everyday work should be established, for instance by making IT security a performance indicator for managers: This will oblige supervisors to ensure data and system security.
Pillar 1: Clear rules for outsourcing
External IT companies provide cloud services, take care of workstations, dispose of hardware and data – and many things more. In recent years, the boom in cloud services in particular has driven outsourcing forward and made IT security even more important. Companies need clear quality criteria and security rules – such as a cloud framework and so-called whitelists – for all IT areas in which external parties are involved: What data do we need to encrypt? Who is allowed to use our systems and documents, and how? How often should we make data backups? Which cloud services are accessible to employees?
Pillar 2: Registering and managing critical incidents
It's a weekend – and yet someone is downloading large amounts of data from the network. This is unusual and may indicate abuse. To detect data leaks or cyberattacks early, companies can set up a Security Operation Center (SOC). The SOC monitors all systems and alerts in the event of anomalies. How does a company prepare for such incidents? For example, it should have a data backup process in place, a redundant email system available at all times, and a plan for informing customers, authorities and other stakeholders.
Pillar 3: Protecting indispensable systems
Depending on the industry, different IT services are indispensable for day-to-day business: for a bank, it’s the transaction system, for a logistics company the warehousing software, for a scientific institute the research database. In order to protect hypersensitive areas of IT, companies should exploit all resources, both technically and organizationally – limiting access rights very strictly, making extensive backups, regular pen tests and installing a central control unit. Every unusual activity has to be registered and it must be ensured that the systems remain available even in the event of a breakdown.
Pillar 4: Shielding sensitive data
It may be laudable if employees deal with company data and hardware thoroughly and carefully. This will make life harder for hackers. But in addition, the company should take technical precautions, for example with encrypted emails and drives. Moreover, a user concept is recommended that classifies systems and data and determines exactly who is allowed to access them.
Pillar 5: productivity with double bottom
Cybersecurity is good, but IT must also be physically protected. The company should not only keep its critical infrastructure up to date with the latest software. It should also be placed in a facility that can withstand a fire, earthquake or flood. In the best case, the company affords a backup system at a different location. If something goes wrong, you will need an emergency plan to quickly restore the most important lost data from the backup.
The examples described above are only a small sample. In our "House of IT Security", each of the supporting elements has around 20 sub-items. Using these criteria, companies can measure the degree of maturity of their IT security and plan the next steps in a structured manner. This way, the IT security building becomes significantly more secure within a reasonable period of time – without overburdening the organization.