Drafting an IT security strategy - A guide for CIOs


We are a little past the halfway mark of the year and the number of data breaches in 2018 is already hitting 600, with 50% of those affecting businesses related to retail, tourism, transportation, utilities and other professional services that have a direct impact on millions of people around the world. As per the research conducted by Ponemon Institute, the average cost of a data breach per compromised record is $148 globally. The study cites that it takes an organization 196 days, on an average, to detect a breach.

We live in a time where data can be more precious than gold. Data breaches can pose a grave threat to businesses as a customer’s trust, once lost, is not easily regained. Data security entails protecting digital data from the attack of hackers, security breaches, or even accidental deletion. To better help understand the importance of data security in this day and age, we are doing a blog series on data security that can act as a reference for CIOs and IT Admins to combat cyber attacks and protect their precious data.

To begin with, having a tight and effective IT security strategy in place can save your business from the damaging consequences of a breach. In this introductory article, read about some of the vital components of an efficient IT security strategy.

IT security roadmap

The foundation of an efficient IT security strategy lies in creating a roadmap while also understanding the security goals and the current security status of your business. Start by identifying what you want to protect - from hardware to cloud, and everything in between. It is essential to note every point of a potential cyber attack. This will not only help you to understand the risks, but also highlight where you’ll need to make the required technology investments to secure your business and its data. When it comes to cyber security, proactive action is the key.

Manage user privileges

To help secure data and detect breaches, it is crucial to manage who has access to system data. Develop strict security boundaries by classifying user permission levels and the kind of data that they can access. Limiting administration privileges to a few number of accounts will reduce the risks of compromising data security.

Mobile security plan

Don’t make the mistake of overlooking mobile device management when it comes to your overall security strategy. Mobile malware is a growing threat as it can invade mobile devices when users download games or applications from untrusted sources. According to the Mobile Data Threat Report Q4 2017 by MobileIron, of the several types of threats and risks that affected mobile devices around the world, the critical threats were the ones that affected the OS. Threats often find their way through cellular networks, wifi networks, or via applications such as malware, adware, spyware etc. In order to protect their business, CIOs must keep current on the kind of mobile security threats that are happening around the world and find the right tools to safeguard the devices under their control. For example, solutions like Appthority can help protect data privacy as well as detect and manage threats by providing actionable threat intelligence.

It is imperative that employees are made aware of the risks that their mobile devices pose. As part of the IT security protocol, among other things, employees should be advised to:

  1. Install anti-virus software on their mobile devices

  2. Secure devices with a PIN/Password

  3. Do not click/download suspicious links/applications

  4. Access the internet only from trusted wifi networks

  5. Comply with internal IT security measures.

IT departments should also have a disaster management policy in place in case of theft or loss of an employee’s mobile device to make sure that important data is not accessed by an outsider. Stay clear of “ghost passwords” - passwords and accounts of ex-employees - to prevent the continued access of ex-employees to your internal system. You never know the extent of damage a disgruntled ex-employee can cause to your business.

Cloud security

In our own journey to digitization, we here at Documo manage all of our documents in the cloud both for collaboration and convenience purposes. However, with cloud storage comes the risk of data leakage. Along with digitization, CIOs should also address the risk of data leakage through the cloud services that you use. It is an absolute necessity to study the security guidelines that your cloud service provides.

Always take the extra step to ensure data security. As part of your IT security strategy, you can blacklist applications that you do not want your employees to use for exchanging data.

Incident management plan

The next essential component of a well-rounded IT security strategy is forming an incident management team - the A-team who would investigate and analyze an incident as soon as it is detected. The incident management team is responsible for studying an incident and presenting a report on the severity of the incident, damages that it may have caused to the system and the business, and steps to be taken to mitigate the damages.

The ISO/IEC 27035:2016, lays out five stages of IT security incident management:

Prepare an incident management plan and an efficient team to deal with incidents

Identify and report IT security incidents

Assess the incidents and make decisions about how they should be addressed

Respond to the incidents by containing, investigating, and resolving them

Learn from the incident to tighten your security strategy further

Disaster recovery plan

A disaster recovery plan should also be a part of your IT security strategy. Disasters can be natural or man-made, and necessary plans should be taken beforehand so that your business is not disrupted for any extended period of time. Disaster recovery plans involve listing all available hardware devices, software applications, and data. Listing the hardware and software will help in restoring the items quickly after the disaster is handled. Have a secure backup plan in place so that no important data is lost in the event of a disaster. Your business can bounce back from a disaster more easily with an effective disaster recovery strategy in place.

Stress testing

After putting all the defense measures in place, stress testing the system is critical. Stress testing involves simulating a cyber attack to your system and analyzing how it is managed by your team. Stress testing will help you identify the potential risks that could affect your business in the case of an actual incident. It’s important to find out how your team responds to such a risk, and how much time your business would take to resume normal operations.

The results of stress testing will provide insight into your IT security strategy and guide you to make changes to better secure your system.

We have discussed important elements of a streamlined IT security strategy and hopefully you have found it helpful in some capacity. In the coming articles, we will discuss various rules and regulations that exist to protect and secure data.