IT security management: Why you should take care of it now at the latest and what matters!
by Svenja Koch
Cyber threats are omnipresent - this is now widely known. At the same time, there are still glaring gaps in the area of IT security measures in many companies. IT security management aims to close these security gaps with a comprehensive action plan that includes resources such as employees, financial means and IT security tools. In this way, an increase in the level of IT security within companies and organisations is achieved.
What exactly is IT security management? Definition and goals
IT security management aims to prepare companies comprehensively and sustainably for potential cyber threats. The IT security situation requires broad-based measures. A wide range of IT security measures are grouped under the umbrella term of IT security management. Taken as a whole, these ensure the digital security of an organisation. This management is an ongoing process that includes areas of data protection as well as defence against cyber threats. In its entirety, IT security management is a complex system whose measures are built around an IT security plan.
The fundamental goal of IT security management is to sustainably increase digital security in the company. This is a long-term process that is worked on step by step with the help of individual, interlocking IT security measures. IT security management itself does not yet define concrete steps. Rather, it is the bundling of available and selected methods and measures so that a coordinated deployment is achieved. This also means that there is a responsible position in the company that creates the underlying IT security plan. This position is also responsible for monitoring IT security and the protection goals. The concrete IT security measures within the framework of security management are made up of various IT standards, best practices, guidelines and legal minimum standards.
IT standards and legal requirements for the implementation of IT security measures
Within the framework of the IT Security Plan, an individual catalogue of IT security measures is created, which are adapted to the specific infrastructure of the organisation. These measures are based on IT standards and legal requirements. On the one hand, this ensures that the organisation meets the legal minimum standards for IT security. On the other hand, the IT standards give those responsible concrete options for designing IT security and protection goals.
In this context, the basic IT protection of the Federal Office for Information Security (BSI) plays an important role for many organisations. The basic IT protection approach provides IT security officers with a clear structure on how to establish effective and sustainable IT security. Here, for example, there is the BSI Standard 100-2. These basic IT protection catalogues define threat situations, probabilities of occurrence and also the possible effects of damage. These basic protection manuals serve as a substitute for elaborate individual security analyses. They provide information on the potential attack vectors that companies must expect and give instructions on how companies implement countermeasures.
There is also a three-stage certification for basic IT protection by the BSI, which is checked by checklists and in the last stage by auditing. Thus, the implementation of IT-Grundschutz is possible for companies with relatively simple means and without specifically anchored expert knowledge about IT security and the protection goals. In this case, specialised personnel who carry out security analyses and design an IT security plan based on them are not needed.
Another central building block in the development and definition of IT security and the protection goals is ISO 27001, an international standard that specifies the creation of an individual information security management system. Based on ISO 27001, it is possible to introduce security guidelines for IT. The focus of ISO 27001 is on the creation of a management system in which all IT security measures are meaningfully intertwined and completely cover the protection goals of IT security. Within the framework of ISO 27001, specifications are also defined with which the functionality of the individual security measures in the IT security plan can be checked. Only a central management system that controls and administers all individual measures creates a coherent overall concept in which all security risks are covered.
ISO 27001 also requires documentation of the IT security plan and the individual measures. This creates a transparent and comprehensible procedure within the framework of IT security management. This is especially important in the long term. If there are changes within the IT staff responsible for this, the clear documentation prevents IT security from having to start from scratch again in such a situation.
The central IT security protection goals in companies
Which IT security measures the company implements in concrete terms varies from organisation to organisation. Therefore, implementation in IT security management begins with an IT security plan. This plan starts with an analysis of the current situation. This includes the existing systems, a record of the current IT security measures as well as an identification of IT weak points.
Based on this, IT security defines protection goals and concrete IT security measures. The IT security plan, which is one of the central means of IT security management, then defines a time schedule for implementation and realisation. This then involves concrete measures and long-term goals. These must also be long-term, such as the ongoing training of employees.
An important point for IT security to achieve the defined protection goals is the provision of resources. On the one hand, this concerns financial resources. On the other hand, however, it is also about personnel structures and the required know-how. Especially the last point is not easy to implement. Small and medium-sized enterprises in particular often face challenges in providing sufficient resources for IT security and the protection goals.
The current situation - why IT security management is becoming increasingly important
Figures from England and also from the Federal Criminal Police Office for Germany show that cybercrime has already been one of the most common crimes of all since 2016. In recent years, hackers have also significantly improved their skills. The cyber criminals are well networked and access malware that they rent like a cloud application in the form of software as a service.
In addition, the cybercriminals are using cryptocurrencies to send ransomware to companies. Currently, there is no way for investigating authorities to track payments in Bitcoin and other digital currencies. The recipients, operating from anywhere in the world, thus remain anonymous when receiving large payments via cryptocurrencies.
This ability to receive money from illicit activities without risk has made the ransomware model successful. Hackers as well as criminals who rent corresponding ransomware and malware to compromise networks are increasingly attacking companies. The criminals are also not stopping at public institutions and critical infrastructure, as the recent past proves. The goal here is clearly to gain a financial advantage. It is not uncommon for cybercriminals to demand five-figure sums in the course of extortion with ransomware. Larger companies are even confronted with extortion in the millions.
The increasingly sophisticated approach of hackers further increases the danger. This is evident in multi-vector attacks, the number of which is increasing exponentially. Here, companies are increasingly failing already to detect security breaches in their own network. The time that elapses between the start of a cyberattack and its detection by the company's own IT security continues to increase. In 2019, successful cyberattacks took an average of 108.5 days for IT security to discover the network had been compromised. Two years earlier, this period was 80.6 days. Time that the attackers effectively use to steal data, introduce further malware or encrypt the information stored on servers with ransomware.
In sum, this situation has led to an explosion in dangerous attacks with ransomware. Attackers are potentially targeting every company and organisation, regardless of industry or size. However, many decision-makers are still too often of the opinion that their own company is unlikely to be the primary target of cyber attacks (for example, because the company is too small or the products/services offered are not relevant enough). This is a dangerous and outdated attitude that makes the employee responsible for the company himself a dangerous weak point in IT security: On the one hand, because he fails to strengthen his own IT security in time and to define protection goals. On the other hand, because vulnerabilities that attackers use are created by employee misconduct. With modern IT security measures, however, it is possible to protect one's own company very well against cyber attacks. The challenge lies in the correct implementation and behaviour by those responsible and the employees.
5 concrete IT security measures within the framework of IT security management
In many companies, the implementation of an IT security plan fails because it is not sustainable. Putting theory into practice after the IT security team has defined the protection goals is indeed a major challenge. This is precisely why it is important to commission experienced personnel or professional, external service providers to implement IT security management.
5 elementary measures that belong to IT security management are:
- IT security training of employees: Which topics are relevant here depends on an individual needs analysis. It is important to identify the weak points of the company as well as the employees and at the same time address relevant topics that affect everyday life. Elementary training courses deal with the topic of phishing, for example, and teach employees how to recognise conspicuous e-mails or how to deal with messages in general.
- Ensuring that IT security standards are up to date (this includes, among other things, regularly patching systems and carrying out back-ups, keeping backup copies offline, a regular Active Directory security check, etc.).
- Up-to-date work equipment for employees (especially mobile workplaces in the home office & Co bring new needs with them: the hardware must be mobile and flexible, and of course also permanently up to date with the latest technology in order to guarantee the highest security).
- Use of state-of-the-art security and anti-ransomware technology (traditional security tools such as AV, endpoint protection, firewalling and IDS/IPS are no longer sufficient to ward off current threats in good time).
- Use of managed security services for cyber defence, such as a vulnerability management and active cyber defence service.
Due to the increasing danger of cyberattacks, especially Advanced Persistent Threats, company networks are now exposed to a permanent threat. Small and medium-sized enterprises have also been targeted by cyber criminals. This situation makes IT security management necessary in all organisations. This management is important for the organisation of IT security and the achievement of and compliance with the defined protection goals. Those who do not have the resources to create an IT security plan and take over IT security management themselves can fall back on external service providers or the BSI's IT-Grundschutz catalogue. Only with professional security management is it possible to significantly minimise the danger posed by advanced persistent threats, ransomware attacks and similar cyber threats.