How to stop IT security from getting in the way
Why does airport security sometimes make us take off our shoes? Because someone once smuggled explosives in their shoes. Why did airlines ban us from bringing liquids onto flights? Because someone disguised bomb-making materials as a bottle of fizzy drink.
Those security measures came in after specific events — like many of the checks we go through at the airport, they react to novel attacks rather than anticipating them. There are a series of preventative measures that came in after the things they’re trying to prevent.
When airport security is done badly, your experience is a patchwork of individual measures, sewn together sporadically. It’s better than having no security, but it’s neither as effective nor as painless as it could be. At its best, security is a meticulous process, planned as a coherent whole and focused on preventative measures, using the latest techniques and technology to remain as unobstructive as possible while remaining safe.
The same goes for a lot of businesses’ IT security. You’ll be much more secure (and more productive) when you have a strategy that anticipates threats, rather than adding new measures ad hoc, and responds to the way you work, rather than dictating the way you work.
Here are the building blocks for that strategy.
Endpoint protection
If it’s possible to stop attacks at their source, then you stand the best chance of stopping the spread and protecting your devices and your data. A thorough security suite will also include web filtering, Mobile Device Management to protect all devices centrally, and encryption to help keep you GDPR-compliant in the event of a breach.
Well-designed endpoint protection fits your working patterns — it doesn’t change the way you work, but secures the way you work.
Email security
Cyber attack techniques like email phishing are widely known, but that doesn’t stop 30% of people from opening phishing emails.
Your people will always be your best line of defence against phishing, but there will always be times when social engineering beats security training. It’s unreasonable to expect your people to identify suspicious messages every time they come in, so you need defences in front of them and behind them to carry the burden, instead of putting all of the pressure on your employees.
Email security should look for threats as they arrive, and stop as many as possible from reaching the inbox. If any do get in, and trick a user into admitting malware or ransomware, then your next security measures can contain it.
Firewalls
Firewalls aren’t only to keep threats out. They should stop any threats that do infiltrate from accessing your whole system — even if someone breaks into the ‘building’, all of the ‘rooms’ are locked.
Aside from the peace of mind, a strong firewall makes flexible working far more secure and much less cumbersome. For example, a firewall package can and should offer unlimited VPN access so that home workers can operate on your secure, firewalled network.
If security stops people from working flexibly, they can come to resent it. With a suitable firewall in place, you don’t have to forbid remote working, limit the hours that anyone can choose to work, or put extra requirements in place to do either.
Managed Detection and Response (MDR)
Even cyber security teams get tired of cyber security. The ongoing skills shortage has put the burden on smaller teams, given each member more to do, and left a lot of people drained and burned out.
On top of that exhaustion, the average IT security team member spends 32 minutes assessing each false alarm. Even the most dedicated security professional could be tempted to treat alerts with increasing complacency when their already-exhausting schedule is full of ‘threats’ that turn out to be nothing.
An MDR service monitors your system for you, assessing alerts, and neutralising any threats it finds. That allows security teams to spend their time building a strategy and strengthening the system, rather than firefighting.
Expert design and review
To design those basic cyber security elements, it’s wise to find expert advice so that you can implement them in the most efficient, commercial way possible. An experienced cyber security provider can also make bespoke suggestions and complement your cyber security pillars with a tailored, ongoing strategy that keeps you safe without imposing inconvenient and reactive measures on your employees after incidents.
Arc Systems gets ‘under the bonnet’ of your business so that we can truly understand how you run, and design, a security strategy that works specifically for you. Get your free, no-obligation IT security review, and we’ll share our recommendations for a safer and smoother-running system.