13. Jan, 2017

Highlights from the IT Security workshop, as promised.

The workshop was organized by a large bank in my region and besides several midsize company representatives, we had security experts, people from the Cyber Crime Competence center of the police and a lot of other interested people, roughly 100 - 150 in the audience.

It was kicked off with a live hack. A security evangelist did offer an unprotected WLAN in the room and 78 people had been connected even before the workshop started. He did show quickly, what kind of traffic and information is visible without encryption and what kind of additional information can be gathered about the people in the room with some easy tasks and by using Google search for example. After 15 minutes and some interesting insights, what "bad guys" could potentially be doing with the available data in the room, he did check the connected phones again and it was still 75. Unbelievable how slow people are learning. 

If you have the opportunity to participate in this kind of workshop or there are trainings offered about this topic, make use of the opportunity, this is time well spend.

Below some quick notes from yesterday:

  • In the moment you realize an attack, you should immediately get disconnected from the Internet to avoid further harm.
  • You need to have a disaster recovery plan that is properly documented and tested regularly. The worst case can and will happen some time.
  • In case of a disaster, a decision matrix is necessary and a step by step description, how to get your system back to work --> who is doing what by when - check list.
  • Spending money for prevention is fine, but take care you have a working backup system and a clearly defined data restore strategy.
  • There is still no security by design in IT systems and the basic underlying versions can be very old.
  • In a lot of cases IT security software is even worse than standard software.
  • As the key issues are still coming from people behavior and their reaction to IT security training and awareness sessions --> this is the area where you have to start off.
  • You need to create an IT Security culture, with a basic understanding for everybody, a common and not technical language that everybody is able to understand. We are all sitting in the same "boat" and have to protect it as good as we can. When the company is impacted, every employee's salary is impacted as well!!
  • Put a vulnerability management in place, understand your own risks, technology used and costs involved.
  • Get or develop IT security experts, who are independent, open and honest.
  • Put your security experts high up in the organization and let them report to the CFO or COO.
  • For small companies Security as a Service solutions are coming up in the market.
  • Communicate openly about issues and find trusted partners in banks, government or central intelligence organizations.
  • Be aware of the potential risk of IoT solutions, because even the oldest technology gets connected to the Internet now.
  • For further great insights and direction have a look at the Digital Society Institute (DSI) website https://www.esmt.org/faculty-research/centers-chairs-and-institutes/digital-society-institute-dsi, or your country specific cyber crime expert pages. 

IT security starts with our personal behavior, awareness and following the given security guidelines. Please apply as much as possible common sense, in your private and business life. And if still something goes wrong, don't be shy and communicate to the experts immediately, to avoid further impact on your family, colleagues and company.