Security is a constant worry when it comes to information technology. Data theft, hacking, malware and a host of other threats are enough to keep any IT professional up at night. In this article, we’ll look at the basic principles and best practices that IT professionals use to keep their systems safe.
The Goal of Information Security
Information security follows three overarching principles, often known as the CIA triad (confidentiality, integrity and availability).
- Confidentiality: This means that information is only being seen or used by people who are authorized to access it. Appropriate security measures must be taken to ensure that private information stays private and is protected against unauthorized disclosure and prying eyes.
- Integrity: This principle guarantees the integrity and accuracy of data and protects it against modifications. This means that any changes to the information by an unauthorized user are impossible (or at least detected), and changes by authorized users are tracked.
- Availability: This principle ensures that the information is fully accessible at any time whenever authorized users need it. This means that all the systems used to store, process, and secure all data must be functioning correctly at all times.
IT Security Best Practices
There are many best practices in IT security that are specific to certain industries or businesses, but some apply broadly.
Balance Protection With Utility
Computers in an office could be completely protected if all the modems were torn out and everyone was kicked out of the room – but then they wouldn’t be of use to anyone. This is why one of the biggest challenges in IT security is finding a balance between resource availability and the confidentiality and integrity of the resources.
Rather than trying to protect against all kinds of threats, most IT departments focus on insulating the most vital systems first and then finding acceptable ways to protect the rest without making them useless. Some of the lower-priority systems may be candidates for automated analysis, so that the most important systems remain the focus.
Assign Minimum Privileges
For an information security system to work, it must know who is allowed to see and do particular things. Someone in accounting, for example, doesn’t need to see all the names in a client database, but he might need to see the figures coming out of sales. This means that a system administrator needs to assign access by a person’s job type, and may need to further refine those limits according to organizational separations. This will ensure that the chief financial officer will ideally be able to access more data and resources than a junior accountant.
That said, rank doesn’t mean full access. A company's CEO may need to see more data than other individuals, but they don't automatically need full access to the system. An individual should be assigned the minimum privileges needed to carry out his or her responsibilities. If a person’s responsibilities change, so will the privileges. Assigning minimum privileges reduces the chances that Joe from design will walk out the door with all the marketing data.
Identify Your Vulnerabilities And Plan Ahead
Not all your resources are equally precious. Some data is more important than other, such as a database containing all accounting information about your clients, including their bank IDs, social security numbers, addresses, or other personal information.
At the same time, not every resource is equally vulnerable. For example, information stored on physically separated storage systems that are not connected with the main network is far more secure than information available on all your employees’ BYOD (Bring Your Own Devices.)
Planning ahead for different types of threats (such as hackers, DDoS attacks, or just phishing emails targeting your employees), also helps you assess the risk each object might face in practice.
Identifying which data is more vulnerable and/or more important help you determine the level of security you must employ to protect it and design your security strategies accordingly.
Use Independent Defenses
This is a military principle as much as an IT security one. Using one really good defense, such as authentication protocols, is only good until someone breaches it. When several layers of independent defenses are employed, an attacker must use several different strategies to get through them.
Introducing this type of multilayered complexity doesn’t provide 100 percent protection against attacks, but it does reduce the chances of a successful attack.
Prepare for the Worst, Plan for the Best
If everything else fails, you must still be ready for the worst. Planning for failure will help minimize its actual consequences should it occur. Having backup storage or fail-safe systems in place beforehand allows the IT department to constantly monitor security measures and react quickly to a breach.
If the breach is not serious, the business or organization can keep operating on backup while the problem is addressed. IT security is as much about limiting the damage from breaches as it is about preventing and mitigating it.
Backup, Backup, Backup
Ideally, a security system will never be breached, but when a security breach does take place, the event should be recorded. In fact, IT staff often record as much as they can, even when a breach isn't happening.
Sometimes the causes of breaches aren’t apparent after the fact, so it's important to have data to track backwards. Data from breaches will eventually help to improve the system and prevent future attacks – even if it doesn’t initially make sense.
Run Frequent Tests
Hackers are constantly improving their craft, which means information security must evolve to keep up. IT professionals run tests, conduct risk assessments, reread the disaster recovery plan, check the business continuity plan in case of attack, and then do it all over again.
IT security is a challenging job that requires attention to detail at the same time as it demands a higher-level awareness. However, like many tasks that seem complex at first glance, IT security can be broken down in to basic steps that can simplify the process. That’s not to say it makes things easy, but it does keep IT professionals on their toes.