New Service Combats Complacency In IT Security
September 19, 2016 Dan Burger
The chilling reality of IT security weaknesses is widely overlooked and often assumed to be something that only affects someone else’s business. A close look at our own organizations makes us uncomfortable. So do stories that include expert opinions that every business should begin its security review with the realization that a security breach has already occurred. That’s how real the threat is. And your current security policy, if you even have one, is probably obsolete.
Security is an ongoing process. It’s not inherent in the system, not even the legendary IBM i platform.
“Attackers and their targets and objectives are changing,” explains Patrick Botz, a former security architect at IBM who understands the IBM i system’s security capabilities as well as just about anyone. “No longer are they script kiddies trying to make a name for themselves. It’s now organized crime rings and even nation-states looking to make money or establish the ability to cripple critical infrastructure. That means establishing an ongoing, covert presence without being caught. Attacks on at least two small utility companies have already been identified, and ransomware attacks against small businesses have been rampant this year.”
Smaller businesses, Botz warns, make ideal targets because they have no way of telling if their systems have been breached. They have few security processes in place and most do not actively monitor their systems for potential issues.
“The IBM i’s legendary security capabilities have made many organizations complacent. They think the system protects them. The simple truth is that the IBM i is highly securable, but you need to know how to apply those capabilities to potential vulnerabilities to keep your systems secure.”
Because of the growing risk, Botz believes the time is right for cybersecurity management as a service. His company, Botz & Associates, brings a level of security expertise most small to midsize companies could never achieve on their own at a cost that is reasonable. He calls the ongoing security package TeamSecurity.
“There are tools of the profession, but beyond that are the skills to know what needs to be fixed,” Botz says. “Many small and midsize companies don’t have anyone on staff that knows how to fix security. Adding another piece of security software isn’t going to do them much good if they don’t have a framework in which to deploy that software.”
Botz believes all businesses need a security/risk management process in order to manage security in a rational way, but they are ill equipped to do that. His company specializes in determining the policies and the steps needed to put the processes in place. Because, as he says, there’s no such thing in security as “set it and forget it,” his TeamSecurity package includes ongoing help with processes that deal with constantly changing new threats.
Some might think there’s not much to do once the processes are in place and the system is secured. But Botz emphasizes the importance of continuous monitoring by someone who knows what to do with the information that the monitoring provides and who can make decisions based on current information about threats, vulnerabilities, and risks.
There are three levels of TeamSecurity contracts.
The highest level includes what Botz calls the virtual chief information security officer (CISO). It provides assistance in designing and implementing a security plan that manages risk; for architecting the processes, developing a roadmap, and implementing related projects. Included is an annual security assessment and monthly monitoring reports of key indicators. Botz says it’s like hiring a CISO at a fraction of the cost.
The mid-level service provides help monitoring an existing security system. Includes an annual security assessment and monthly monitoring reports of key indicators and an hour of consulting or security services each month.
The basic level simply involves an annual security assessment and key indicator monitoring and reports.
The service is not designed to catch a breach as it happens. Botz says that would be far more expensive. This process reduces the risk at a small cost. The monthly monitoring is designed to identify when something isn’t quite right–something that is not supposed to be there. A good plan begins by establishing what is normal and then searching for anomalies. Most breaches occur over a long period of time. It’s not a smash and grab, Botz says.
Complacency is common among small shops, Botz says.
“The idea that nobody is going to want to steal from a small company is ludicrous. Small companies are being targeted because they are easy targets. They may not have proper backups, so they have to pay the ransom to get the info back or it will be lost. It’s almost like saying, ‘Why would a small bank in small town have a bank vault.’ Do they need a vault or a guard? No one is going to want to steal from them, right?”