By Marc Guardiola, CISO and Lead Architect at Solvinity
Three quarters of those responsible for IT do not have a complete picture of their own resilience. A fresh start is the best solution.
How sure are you of your organisation’s resilience? That’s a question of conscience, but I’m deliberately asking it. There is a lot going on in the field of security: Europe has taken the reins with the AVG, the National Cyber Security Center is sounding the alarm about increasing threats and digital vulnerabilities, and now we’re also working en masse at home, often on devices and via networks that the IT department has little insight into.
In the 2020 Solvinity Security Awareness survey we asked 500 Dutch IT managers whether they believe their organisation has the security of their IT environment under control. 25.9% is certain of this. 62.4% “feel they have” – the rest think not or simply have no idea.
These numbers aren’t very good. Certainly not when you realise that your organisation carries an important responsibility, both legally and morally, for all sensitive data of customers, employees and partners in your systems. But also for your trade secrets, which, according to the NCSC, are being fiercely fished for by ‘state actors’, it’s not very pleasant if you have to admit that you actually do not have a good idea of how vulnerable you really are.
How do you regain control?
So the big question is what needs to be done in order to be able to confidently say that you have the basic security of your organisation in order?
In order to answer that question it is good to realise that security in IT has long been an afterthought. It has now become a crucial part of any IT environment – but it was actually only ‘thought about’ later. Compare it to a car designed to go forward as fast as possible. If you have to build in brakes, seat belts, airbags, and crumple zones afterwards, then you make it very difficult. Especially in a moving car. The chance that the car will be better looking or faster is virtually nil, which also makes your customers very unhappy.
The same applies to cybersecurity. The sooner you include cybersecurity in your policy and design, the better. Security by design, incorporating cybersecurity into every design and process from the ground up makes everything so much easier. From the start it ensures that you build up a good picture of all measures and all vulnerabilities that you’ve knowingly had to allow, so that you always know where you stand. If that insight is missing, you can never say with certainty that you are ‘in control’.
Direct updating and patching
Security by design helps to facilitate processes that are crucial for the security of your organisation. A good and important example are updates and patches, which are regularly released for the purpose of fixing vulnerabilities in all kinds of hardware and software. In our research, no less than 80% indicated that not all updates and patches are always installed. And when it does happen, it often takes longer than necessary. It’s important to find a good balance between patch testing and the speed at which patches are installed on production. In addition, it’s important to have an urgent procedure on the shelf for the genuinely risky vulnerabilities. When building new environments, it makes sense to look at automated testing – when testing is automated, the time it takes to install a patch on production may be significantly reduced.
There are often apparently good reasons for not installing patches on time – for example, the fear that an update could disrupt critical business processes. But in most cases, those are actually excuses for what could have been avoided by thinking about handling updates and patches much earlier. Many companies tend to put off updates and patches because they don’t want to take any risks. But the reality is, the longer you wait with it, the more complicated it gets.
According to Watchguard, 70% of all malware currently consists of ‘zero day attacks’: attacks that specifically target systems that have not yet been patched. So the longer you wait, the greater the risk. Furthermore, the rick of updates causing problems simply becomes much higher when you try to install multiple updates and patches at the same time.
A standard procedure for implementing some updates or patches quickly and securely makes it much easier to identify the cause of potential problems and roll back if necessary. It ensures that your organisation is much less vulnerable to exploitation of known vulnerabilities, reduces the chance of major failures, and makes it much easier to identify and resolve any problems.
Testing, reviewing and reinstalling
Many people ask us for a solution to better secure their existing IT infrastructure. At the same time, they would like to be able to work more flexibly, faster and more pleasantly. When you recall the analogy of the fast car, you understand that it’s not ideal. Just keeping track of how the current infrastructure works, how all dependencies work, which configurations have been selected and where which vulnerabilities have arisen, is extremely time-consuming and hence very expensive. Worse still, you then have to try to make a fundamentally insecure system resilient. Anyone who has ever fixed a bicycle tyre knows that once a tyre has been flat, a new tyre is always the best solution.
Of course it’s possible to do a lot afterwards. You can have vulnerability tests and a (costly) security audit carried out; you can have the firewall rules and your hardening checked (a huge job). In essence, you have to have your entire IT environment reviewed and make a conscious choice everywhere: which rights do you allow? Which ports do you open and why? Which measures have what consequences elsewhere in the chain? It is possible, and we also do it for some customers. But in the vast majority of cases, a full re-installation is by far the best choice.
Cleaning up and simplifying
By rebuilding the IT infrastructure, you can leverage best security practices, ensuring that all IT is immediately hardened and all configurations are carefully documented. By building the infrastructure securely from the outset, the insight is created that is essential to regain control of a system. Moreover, a re-installation is an excellent opportunity to clean up and simplify the infrastructure, for example by saying goodbye to obsolete or unused components or by switching to more flexible and safer alternatives that are more manageable.
An IT infrastructure that is built ‘secure by design’ is more secure and much easier to manage. It provides insight that is useful for compliance and audits. It also makes your security policy much simpler. Every organisation is regularly faced with changes, such as the installation of updates and patches, the implementation of new solutions or the addition of new users. By making these types of adjustments part of a safe standard procedure, they can be implemented quickly and with confidence. It is the best way of being able to answer in our next Security Awareness survey that the IT environment is fully under control again.
Find out more about Solvinity here.