Understanding IT Security
The importance of understanding IT security
With cyber criminals operating around the world, it’s more important than ever that businesses start understanding IT security. Afterall, 86% of UK organisations expect cyber attacks to increase, and 33% of hacked companies admit to losing customers after a breach. As an individual, a business, or a government or a nation-state, IT security is something that should be taken seriously. In this guide, we aim to provide you with a broad overview to help you understand IT security, defining what it is, the different types, current threats and how to prevent them. The guide is designed to provide you with a basic understanding of IT security importance rather than an in-depth analysis of one specific aspect of it.
What is IT security?
The term ‘IT security’ is often interchangeable with the term ‘cyber security’, and refers to the practice of applying technology, procedures, controls and tools to protect data, networks, computer systems and devices against unauthorised access and malicious attacks. In a world when almost every aspect of a business is online, it’s clear to see how vital it is to protect IT systems against attack.
IT security vs. information security
IT security and information security are often confused. IT security is focused on protecting computer systems from malicious intent, while information security involves protecting information and data in both digital and hard copy format. The two concepts are closely related, and overlap in certain areas, but the difference is worth distinguishing. For example, ISO 27001 is an excellent and internationally recognised information security standard, whereas Cyber Essentials is a fundamental IT security/cyber security standard.
Who poses a threat to your cyber security?
Malicious internal users, can be a threat to their organisation, infiltrating networks and systems from the inside. This could be a dishonest employee looking to benefit financially or a malcontent member of staff with a grudge who wants to harm the company.
The consequences of IT security
The importance of having comprehensive IT security measures in place to protect your business is something that can't be overlooked. There might be other aspects of your business that you leave to chance and get away with, but IT security isn't one of them. Without adequate IT security measures in-place, it’s only a matter of time before your business is breached. The impact of a serious breach is potentially ruinous, and the reputational damage alone has destroyed companies faster than regulatory fines and lawsuits. With no exception, businesses large and small need to address IT security as a core business component.
There are other benefits to maintaining a good standard of IT security. By showing that you take security seriously, you can inspire confidence and trust in your customer base, helping grow your business. Even entry-level It security certifications, such as Cyber Essentials are valuable to business growth, plus Cyber Essentials is required for UK Gov, NHS and MoD contracts.
Types of IT security
In the infancy of information technology, security was as easy as running some antivirus software on your computer. Older readers might remember Dr Solomon's Antivirus Toolkit. However, in this modern digital age, our IT security is much more complex, so we need to be aware of the different types that can be impacted by cyber threats.
Cloud services are becoming increasingly popular, allowing companies to rely less on internal infrastructure and hardware. Though many companies feel more secure having control over their data on-premises, businesses could use affordable cloud-based services – with applications and stored data hosted off-premises.
Cloud service providers typically have strong security practices in place, with more experienced security experts available to detect IT security threats. Additionally, they need to meet strict regulatory requirements and are regularly subjected to third-party audits to ensure their security systems are satisfactory. However, the myriad configuration options inherent in cloud services means security flaws are often introduced through accidental misconfigurations. Plus the ‘shared responsibility’ model of security means that sometimes organisations won’t even think about securing something they’re responsible for - simply because they don’t know it’s their responsibility.
Disaster recovery / business continuity
Types of IT security threats
A whole book could be written on the different cybersecurity threats that can put your IT systems at risk. The ones listed below are the ones you’re most likely to encounter. Hackers and cyber criminals are continually coming up with new and ingenious ways to circumnavigate existing security measures, and security researchers are in turn finding better ways to stop them. So be aware that while these are some of the common threats, there are plenty more to contend with.
Advanced persistent threat
Brute force attack
Brute force attacks are the modern-day digital equivalent of trying to crack a safe or padlock. Hackers will use specialised automated software and scripts to attempt to decrypt your password by simply trying every combination of characters. This is what makes weak passwords, and re-used passwords, so terrible for security. If a hacker brute-forces a weak password, and you’ve used that password elsewhere, they now have the keys to your digital kingdom.
DoS and DDoS attacks
A Denial of Service Attack (DoS) is when a hacker attempts to bring down a server or network by flooding it with vast amounts of traffic that it can't cope with, causing it to be unable to respond. The intention is to make it inaccessible to its intended users. Modern technology has made denial of service attacks reasonably easy to prevent. A firewall can block the attack if it detects a large amount of unusual traffic originating from a single origin. However, hackers can be accused of many things, but lack of innovation isn't one - thus, we now have DDoS.
Distributed Denial of Service (DDoS) is when thousands of devices are placed under control of a hacker, who uses them to send meaningless traffic to a network or server. Just the same as a DoS attack, it floods the network with traffic but this time it’s not so easy to stop, as it comes from thousands of different ISPs, geographic locations and types of computer (hence ‘distributed’). These sort of attacks can be prevented with the use of DDoS mitigation tools and services.
Whilst DoS and DDoS attacks aren’t going to enable a hacker to steal data, then can effectively take your systems offline. They’re also used as a distraction, whereby a hacker will cause a DDoS attack to distract from another cyber attack, such as ransomware.
Phishing is one of the most well-known IT security threats. Its goal is to obtain sensitive information by masquerading as someone you trust. Typically a phishing attack is carried out by email, though they can also come via SMS or even an voice call. A mass of emails will be sent out to thousands of people with the hope that even a small percentage will fall for the scam.
Usually, the phishing email will be designed to look as if it has been sent from a company or service that you know. Examples would be your bank, utility provider, PayPal, Facebook or even Netflix. It will then ask you to carry out an action such as 'Urgent update required' or 'Login now to avoid your account being suspended.' Often, as you might have noticed, there is a sense of urgency, which can lead to a user making decisions without thinking clearly. If the link is clicked on, it will typically take the user to a fake website giving away the login information or personal details that they enter.
While the majority of IT security risks revolve around technology, human emotions can also be manipulated by cybercriminals who use psychological techniques to trick individuals into giving out sensitive information. Social engineering is often employed in spear phishing or whaling attempts. It will invoke emotions in the victim such as fear of authority, familiarity or urgency to manipulate them to take actions that could comprise IT security.
We briefly touched on Botnets when we discussed their use in DDoS attacks. A bot is slang for a compromised machine that’s under a hacker’s control. And when there are many such bots under control of a hacker, it’s called a botnet. The device users will be unaware, but this army of bots can be put to nefarious use. For instance, the botnets can be used to send out spam emails, with no risk of detection for the 'bot-herder' (as the controller is known} and using the resources of other users' devices. For apparent reasons Botnets are often called a 'zombie army.'
Want to find out more about penetration testing?
Bulletproof has helpful free resources for businesses looking to find out more about penetration testing. Why not download our educational white paper, view our interesting infographics, or dive into more details about the difference between VA scans and pen tests.
Protecting against IT security threats (Countermeasures)
The measures that you put in place to defend your organisation against cyber attacks will depend on factors such as the size of your business, your budget, and regulatory requirements. Many of the countermeasures you can implement to defend your enterprise against cybercrime are extremely affordable or even free, such as ensuring that you keep your software updated and enforcing appropriate password management.
Security hardware and software
Unified Threat Management (UTM) - TM combines multiple security solutions as an all-in-one device or service, essentially unifying all your security functions protecting against security threats in a simplified manner. Rather than having to pay for and look after multiple security devices, UTM typically offers antivirus, next-generation firewall, web filtering and an intrusion prevention system (IPS).
Backing up data
Keeping software updated
Employee behaviour and awareness
The actions of employees can leave a business under significant threat against cyber attacks. Statistics indicate that 43% of data breaches have taken place due to careless or malicious actions carried out by employees. So while you might be focusing your security measures towards your networks and devices, it is the human factor that could be the most dangerous. A disgruntled employee could be the one who sabotages your network, or an employee could easily be manipulated by social engineering into endangering your IT security. At the very least staff should be made aware of security issues, but there should be routine security meetings and regular IT security training to stress the importance.
Security information and event management (SIEM)
Final thoughts on IT security
IT security can be a minefield for businesses who aren’t prepared – from the threats that have the potential to do untold damage to your business, to deciding on the right tools for your enterprise's needs. But forewarned is forearmed, and as this guide has shown, when you start digging into the details, it’s all surprisingly straightforward. Good IT security is a modern business essential, and the basics, such as penetration testing, keeping all systems up-to-date, and security training, can be easily integrated into any size of organisation.
For more best practice tips on how to get started with your IT security, download our free 10 point security checklist that will take you step-by-step through the basics. Cyber Essentials is a Government-backed certification that covers cyber security basics, making it an ideal first step in your journey to IT security.
Our experts are the ones to trust when it comes to your cyber security
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.