The importance of understanding IT security
With cyber criminals operating around the world, it’s more important than ever that businesses start understanding IT security. Afterall, 86% of UK organisations expect cyber attacks to increase, and 33% of hacked companies admit to losing customers after a breach. As an individual, a business, or a government or a nation-state, IT security is something that should be taken seriously. In this guide, we aim to provide you with a broad overview to help you understand IT security, defining what it is, the different types, current threats and how to prevent them. The guide is designed to provide you with a basic understanding of IT security importance rather than an in-depth analysis of one specific aspect of it.
What is IT security?
The term ‘IT security’ is often interchangeable with the term ‘cyber security’, and refers to the practice of applying technology, procedures, controls and tools to protect data, networks, computer systems and devices against unauthorised access and malicious attacks. In a world when almost every aspect of a business is online, it’s clear to see how vital it is to protect IT systems against attack.
IT security vs. information security
IT security and information security are often confused. IT security is focused on protecting computer systems from malicious intent, while information security involves protecting information and data in both digital and hard copy format. The two concepts are closely related, and overlap in certain areas, but the difference is worth distinguishing. For example, ISO 27001 is an excellent and internationally recognised information security standard, whereas Cyber Essentials is a fundamental IT security/cyber security standard.
Who poses a threat to your cyber security?
The majority of cyber attacks are a result of criminal, state or terrorist directed actions. The primary threats to IT security are typically motivated by financial gain or the procuring of sensitive information. However, this isn’t always the case. SMEs in particular can find themselves hacked without being directly targeted – being just collateral damage from a malicious cyber attack against another organisation – this is why it’s vital that every business covers the basics. Individuals and groups will all have specific motivations, but mostly they can be broadly defined by labelling them under different categories. That is not to say that there aren’t other threat categories but listed below are the most likely threats.
Those who execute cyber attacks in the pursuit of making easy money, for instance, scamming victims using email. Anyone can commit cyber crimes, from a teenager living with his parents to organised crime gangs.
Those involved in cyber espionage, who obtain sensitive data or secrets without the user’s knowledge. Typically cyber spying will be required by a competitor or rival; this could be on an individual, commercial enterprise or nation-state level.
Those who are given the authorisation to hack networks and systems on behalf of organisations to test for vulnerabilities.
A combination of hacker and activist. They are not out for financial gain but perform cyber attacks on companies and organisations as a form of protest.
Similar to hacktivism but much more severe, cyber terrorists will usually have no qualms in causing serious economic damage and even loss of life as a result of their actions.
Malicious internal users, can be a threat to their organisation, infiltrating networks and systems from the inside. This could be a dishonest employee looking to benefit financially or a malcontent member of staff with a grudge who wants to harm the company.
The consequences of not having IT security
The importance of having comprehensive IT security measures in place to protect your business is something that can’t be overlooked. There might be other aspects of your business that you leave to chance and get away with, but IT security isn’t one of them. Without adequate IT security measures in-place, it’s only a matter of time before your business is breached. The impact of a serious breach is potentially ruinous, and the reputational damage alone has destroyed companies faster than regulatory fines and lawsuits. With no exception, businesses large and small need to address IT security as a core business component.
There are other benefits to maintaining a good standard of IT security. By showing that you take security seriously, you can inspire confidence and trust in your customer base, helping grow your business. Even entry-level It security certifications, such as Cyber Essentials are valuable to business growth, plus Cyber Essentials is required for UK Gov, NHS and MoD contracts.
Types of IT security
In the infancy of information technology, security was as easy as running some antivirus software on your computer. Older readers might remember Dr Solomon’s Antivirus Toolkit. However, in this modern digital age, our IT security is much more complex, so we need to be aware of the different types that can be impacted by cyber threats.
Application security involves processes to ensure applications are kept secure by discovering and repairing security vulnerabilities at every stage of the application’s development and deployment. Typically the security of the app should be checked for flaws during the design and development stages, but as this is not always the case, it needs to be protected after deployment too. Significant threats to application security are DDoS attacks, SQL injection and cross-Site scripting, to name a few.
Cloud services are becoming increasingly popular, allowing companies to rely less on internal infrastructure and hardware. Though many companies feel more secure having control over their data on-premises, businesses could use affordable cloud-based services – with applications and stored data hosted off-premises.
Cloud service providers typically have strong security practices in place, with more experienced security experts available to detect IT security threats. Additionally, they need to meet strict regulatory requirements and are regularly subjected to third-party audits to ensure their security systems are satisfactory. However, the myriad configuration options inherent in cloud services means security flaws are often introduced through accidental misconfigurations. Plus the ‘shared responsibility’ model of security means that sometimes organisations won’t even think about securing something they’re responsible for – simply because they don’t know it’s their responsibility.
Endpoint security is concerned with protecting any device that is connected to an organisation’s network. These include desktop computers, mobile phones, laptops, tablets, servers and IoT devices. Endpoint devices can pose a significant risk to your cyber security posture, so sophisticated endpoint detection and response (EDR) tools are needed). Ideally every device should have some form of EDR installed on it, or in the case of IoT, be segregated at the network level. Modern EDR tools have evolved from traditional antivirus tools and are specifically designed for endpoint devices.
Network security is concerned with ensuring that unauthorised users can’t access your network. An intrusion of your system with the intent to compromise it can pose a multitude of risks to your organisation. Today’s cutting-edge machine learning systems such as IDS can detect unusual traffic and alert security teams to a threat in real-time. Typical network security measures include using strong up-to-date encryption standards, firewalls (including web application firewalls (WAF), and ensuing you’re up to date with patching network firmware on devices such as switches and routers.
Disaster recovery / business continuity
The last type of IT security we will discuss is disaster recovery and business continuity. This is when a critical situation, either natural or human-made impacts your IT systems and how it is dealt with. An organisation must be proactive in ensuring that it has provisions to respond and return to its optimal operating state with as little disruption as possible. Putting together an effective Disaster Recovery Plan (DRP) is essential, and it should be able to copy with any type of disaster, be it an environmental emergency or a cyber attack. It will inform critical on-the-spot decisions about how to best react to the situation – and avoid making things worse.
Types of IT security threats
A whole book could be written on the different cybersecurity threats that can put your IT systems at risk. The ones listed below are the ones you’re most likely to encounter. Hackers and cyber criminals are continually coming up with new and ingenious ways to circumnavigate existing security measures, and security researchers are in turn finding better ways to stop them. So be aware that while these are some of the common threats, there are plenty more to contend with.
Advanced persistent threat
An advanced persistent threat (APT) is a targeted stealth attack, distinguished in that the attacker will spend time and resources to infiltrate a network. Once they have gained access, they can stay undetected for an extended length of time, stealing information over this period. This is in contrast to other attacks where the perpetrators tend to get in and out as quickly as possible. APT is typically targeted at larger organisations and nation-states and other high-level targets. However, smaller businesses with less robust security are often used as a stepping stone to gain access to higher-level targets. In creating a supply chain of attack, a cyber criminal could start with a poorly defended SME.
A backdoor threat is a method by which someone can access a system without permission. This could be achieved using a piece of malware (more on that word later) Remote Access Trojan, or RAT. Commonly a Trojan gets on to a computer by a user clicking on a link in an email and visiting a malicious website (known as social engineering). Once a device is online, and the Trojan is running on it, the attacker can perform several different actions such as accessing and modifying files, keystroke tracking, sending out spam emails, stealing data and much more.
Brute force attack
Brute force attacks are the modern-day digital equivalent of trying to crack a safe or padlock. Hackers will use specialised automated software and scripts to attempt to decrypt your password by simply trying every combination of characters. This is what makes weak passwords, and re-used passwords, so terrible for security. If a hacker brute-forces a weak password, and you’ve used that password elsewhere, they now have the keys to your digital kingdom.
DoS and DDoS attacks
A Denial of Service Attack (DoS) is when a hacker attempts to bring down a server or network by flooding it with vast amounts of traffic that it can’t cope with, causing it to be unable to respond. The intention is to make it inaccessible to its intended users. Modern technology has made denial of service attacks reasonably easy to prevent. A firewall can block the attack if it detects a large amount of unusual traffic originating from a single origin. However, hackers can be accused of many things, but lack of innovation isn’t one – thus, we now have DDoS.
Distributed Denial of Service (DDoS) is when thousands of devices are placed under control of a hacker, who uses them to send meaningless traffic to a network or server. Just the same as a DoS attack, it floods the network with traffic but this time it’s not so easy to stop, as it comes from thousands of different ISPs, geographic locations and types of computer (hence ‘distributed’). These sort of attacks can be prevented with the use of DDoS mitigation tools and services.
Whilst DoS and DDoS attacks aren’t going to enable a hacker to steal data, then can effectively take your systems offline. They’re also used as a distraction, whereby a hacker will cause a DDoS attack to distract from another cyber attack, such as ransomware.
Phishing is one of the most well-known IT security threats. Its goal is to obtain sensitive information by masquerading as someone you trust. Typically a phishing attack is carried out by email, though they can also come via SMS or even an voice call. A mass of emails will be sent out to thousands of people with the hope that even a small percentage will fall for the scam.
Usually, the phishing email will be designed to look as if it has been sent from a company or service that you know. Examples would be your bank, utility provider, PayPal, Facebook or even Netflix. It will then ask you to carry out an action such as ‘Urgent update required’ or ‘Login now to avoid your account being suspended.’ Often, as you might have noticed, there is a sense of urgency, which can lead to a user making decisions without thinking clearly. If the link is clicked on, it will typically take the user to a fake website giving away the login information or personal details that they enter.
Phishing emails sent en masse are usually easy to detect as they have poor spelling and grammar, and may not even contain the user’s name in the message.
Spear Phishing – A subset of phishing, spear phishing uses a more refined approach. While phishing will send out thousands of emails at a time with the strategy that it might hook a few ‘fish’, spear phishing targets an individual or a small group of people, for instance, a specific department of a business. The email will contain names and more personal details that make the email look more trustworthy and less likely to be classed as spam. The recipient is much more likely to act upon it for these reasons.
While the majority of IT security risks revolve around technology, human emotions can also be manipulated by cybercriminals who use psychological techniques to trick individuals into giving out sensitive information. Social engineering is often employed in spear phishing or whaling attempts. It will invoke emotions in the victim such as fear of authority, familiarity or urgency to manipulate them to take actions that could comprise IT security.
Malware is an umbrella term for several different types of malicious software that hackers might try to install on your systems. Whilst there are many different versions with varying effects, they’re all bad, and there’s never an excuse for malware to be on any part of your IT infrastructure.
This specific type of malware encrypts a user’s files with military-grade encryption and then demands they pay a ransom to unlock them. There are many different ways that this type of malware can access a user’s computer. A standard method is from a phishing email where the victim unwittingly opens and downloads a file attachment. Once the ransomware is on the user’s device, it will encrypt any important files, and the hacker will typically ask for ransom paid in Bitcoin or another cryptocurrency that can’t be traced. Once the ransom has been paid, the hacker will provide the victim with a means of decrypting the files. However, as you can imagine, not all cybercriminals are men or women of honour and will take the money and run. Often enterprises will want to keep under the radar, so to not blemish their reputation and pay the ransom.
Spyware’s is another type of malware whose aim is to track your internet usage activities and steal sensitive data. It can pass on your activity to unauthorised third parties, for instance, data firms or advertisers. On an even more serious note, it can also retrieve banking and credit card information and passwords by monitoring login credentials.
We briefly touched on Botnets when we discussed their use in DDoS attacks. A bot is slang for a compromised machine that’s under a hacker’s control. And when there are many such bots under control of a hacker, it’s called a botnet. The device users will be unaware, but this army of bots can be put to nefarious use. For instance, the botnets can be used to send out spam emails, with no risk of detection for the ‘bot-herder’ (as the controller is known} and using the resources of other users’ devices. For apparent reasons Botnets are often called a ‘zombie army.’
Protecting against IT security threats (Countermeasures)
The measures that you put in place to defend your organisation against cyber attacks will depend on factors such as the size of your business, your budget, and regulatory requirements. Many of the countermeasures you can implement to defend your enterprise against cybercrime are extremely affordable or even free, such as ensuring that you keep your software updated and enforcing appropriate password management.
Security hardware and software
Anti-Malware – Anti-malware software identifies, prevents and removes malicious software using a scanner. It can detect known malware by comparing suspicious files against a database of previously identified malware signatures. Additionally, behaviour based anti-malware software will check if a program looks suspicious and, even if it doesn’t match a known virus, the software will flag and warn the user that it could be dangerous. Often people are confused about the terms anti-virus and anti-malware, but generally, the products are the same. Anti-malware is simply a more modern term.
Firewalls – A firewall is the first defence to protect yourself or business from cyber attack. Essentially a firewall filters network traffic. It can monitor traffic both incoming and outgoing, scanning for any indication of suspicious activity. If it identifies something that could be malicious, it will block it. Firewalls now come in many different types with the latest additions being cloud firewalls and next-generation firewalls (NGFW.) NGFWs offer more advanced protection than standard versions.
Intrusion Detection and Prevention Systems (IDPS) – An Intrusion Detection System (IDS) monitors a network for activities that might have malicious intent. By using signature-based detection and anomaly-based detection, unusual network activity can be detected and an alert sent to an IT administrator. IDS is a passive intrusion detection system and its purpose is to analyse, detect and alert, not to prevent a cyber threat. An Intrusion Prevention System (IPS] on the other hand, functions similarly but will attempt to block any threat.
Unified Threat Management (UTM) – TM combines multiple security solutions as an all-in-one device or service, essentially unifying all your security functions protecting against security threats in a simplified manner. Rather than having to pay for and look after multiple security devices, UTM typically offers antivirus, next-generation firewall, web filtering and an intrusion prevention system (IPS).
Backing up data
One of the simplest ways to protect your business or organisation against potential risks to your business, such as a ransomware attack, is to ensure that you backup your data and store it separately. It is essential that this data is encrypted and that the backups are regularly updated, so that in the event of a ransomware attack that they are effective way to restart your business.
Keeping software updated
It’s important to keep every element of your infrastructure updated. Operating system updates, network device firmware, even email programs, are all sources of entry for a hacker if they’ve not been patched. Keeping on top of patching is a straightforward process, especially for SMEs, and is a key cyber defence. This also includes keeping your anti-malware programs updated!
Employee behaviour and awareness
The actions of employees can leave a business under significant threat against cyber attacks. Statistics indicate that 43% of data breaches have taken place due to careless or malicious actions carried out by employees. So while you might be focusing your security measures towards your networks and devices, it is the human factor that could be the most dangerous. A disgruntled employee could be the one who sabotages your network, or an employee could easily be manipulated by social engineering into endangering your IT security. At the very least staff should be made aware of security issues, but there should be routine security meetings and regular IT security training to stress the importance.
Enforcing password management is an essential part of IT security for your enterprise and doesn’t cost a penny to implement. Employees should be educated that they should have a separate password for each account they use, never to use dictionary words as their passwords, never repeat passwords and to periodically change them. A general rule of thumb for password security is the longer, the better.
A pen test is a form of ethical hacking, essentially a safe way of pressure testing your IT security by simulating a cyber attack. The goal of a penetration test is for a human to assume the role of a hacker and use their insight and ingenuity to enumerate all security weaknesses in a certain set of IT systems. Penetration tests are tailored to the environment being tested, such as web or mobile application testing, internal/external infrastructure testing, and so on. For more information about the basics of penetration testing, why not download our free penetration testing white paper.
Security information and event management (SIEM)
SIEM is a security system that aggregates log files, alerts and events in real-time to give a holistic view of an enterprise’s security. All the alerts and logs from firewalls, endpoint security, antivirus software (and so on) are stored centrally, to be analysed by the SIEM. This means that the security team can identify and respond to potential threats faster. In addition to cyber threat detection, SIEM log management systems are beneficial for regulatory compliance. An increasingly popular trend is to buy SIEM as a managed SIEM service, which provides businesses with technical expertise and 24/7 cover for an affordable monthly cost.
Often enterprises are unsure of the difference between a vulnerability scan and a penetration test. A vulnerability scan uses an automated tool to scan your network and systems for vulnerabilities that are publicly known and can detect equipment that could be vulnerable. Essentially it offers a surface-level scan of existing vulnerabilities. This is in contrast to a penetration test, which is where a security researcher attempts to breach your security defences in a controlled manner. The benefits of VA scans is that they’re cheap to procure and easy to run. They can easily be run every week or month. Ideally businesses should pen test annually, and keep on top of new security exploits with VA scans between penetration tests.
Final thoughts on IT security
IT security can be a minefield for businesses who aren’t prepared – from the threats that have the potential to do untold damage to your business, to deciding on the right tools for your enterprise’s needs. But forewarned is forearmed, and as this guide has shown, when you start digging into the details, it’s all surprisingly straightforward. Good IT security is a modern business essential, and the basics, such as penetration testing, keeping all systems up-to-date, and security training, can be easily integrated into any size of organisation.
For more best practice tips on how to get started with your IT security, download our free 10 point security checklist that will take you step-by-step through the basics. Cyber Essentials is a Government-backed certification that covers cyber security basics, making it an ideal first step in your journey to IT security.