Over the past months, hackers and cyberattacks have made the headlines. Be it the presumption that the US presidential elections were manipulated, cyberattacks on Yahoo, the Sony PlayStation network, or even the ransomware attack WannaCry in May this year. And for a long time, security topics have been on the top of the CIO agenda. In a survey by euromicron in 2016, some 40 percent of companies said they would want to invest more in security-specific topics and technology.
This trend is likely to continue with the coming EU Directives on Data Protection (EUGDPR), which will enter into force in May 2018. With these directives, companies’ neglect in data security, and especially in dealing with personal data, will cost them dearly. In the event of violations of data protection or a negligent handling of the provisions of the Data Protection Directives, the new directives provide for penalties of 2-4% of the total turnover of the companies concerned.
What is really important when it comes to IT Security? Which measures guarantee an efficient protection? And how can companies adapt to the provisions of the EU? It would seem to be above all a question of hygiene.
The North American Center for Internet Security regularly publishes a collection of current IT Security Best Practices. The collection, CIS Controls, contains a total of around 20 different recommendations that are under constant revision and completion by leading experts. Five of these recommendations are essential for companies as protection against cyberattacks and threats:
- Ensure the inventory and control of authorized and unauthorized devices
- Ensure the inventory and control of authorized and unauthorized software
- Ensure a correct configuration of hardware and software on mobile devices, laptops, workstations and servers
- Ensure a regular weaknesses analysis, including defining and implementing adequate measures to eliminate weaknesses and security gaps
- Ensure a controlled use of administrative rights and privileges
For an optimal defense, it is first and foremost a matter of keeping a clean sheet. Two factors, in particular, play an important part: A powerful tool that reliably identifies the entire infrastructure, including hardware, software, network units, network printers and mobile devices, and a powerful CMDB that maps all CI‘s together with their complex relations in one database.
A prerequisite for the successful use of such tools is the implementation of a functioning Configuration and Asset Management, as suggested by, e.g., ITIL Best Practices.
Especially in the context of the EU Directives on Data Protection (EU GDPR), the issue of Password Management is an important field of action. Because, after all, Password Management sets the foundation for something that requires the smooth functioning and security of all applications in the company: the authenticity of access data and user information.
According to recent reports on the topic of data protection, around 63 percent of all data protection violations can be attributed to the use of weak or stolen passwords. A circumstance that could pose a headache for companies, especially regarding the provisions of the new EU Directions because in the event of regulatory breaches, serious and mainly monetary consequences will be imposed in future.
When it comes to Password Management it is important to avoid security gaps in connection with manually controlled password resets, or resets that are done by the users themselves. In order to comply with all GDPR and other security-relevant requirements, appropriate processes must be defined and implemented in the organization or company. At the same time, companies must be able to prove that, at all times, only authorized persons have access to login information and passwords.
In this connection, implementing a user-friendly self service for Password Management could be a valuable help. Such self-service offerings guarantee that only the user himself has access to his access data, whereby no breach of security can be caused by a third party. In addition, the use of self service takes the load off the Service Desk and helps automate and optimize relevant processes.
Further information can be found in the free IDC Whitepaper “Password Management and GDPR Compliance: Lowering Risk through State of the Art Assisted Password Reset“. The whitepaper is free for download here.
IT Security is a very complex topic – and one that will be on top of the agenda for IT in the years to come. The implementation of protection and defense mechanisms, including effective measures for system and password hygiene are successful options to protect against growing threats. It is therefore time to deal with the “homework” that is connected to Asset Management and Password Management.