IT security has to do with guaranteeing the security of all information techniques and technologies (IT) used, i.e., all hardware and software systems and all computer and network systems. The primary objective of these techniques is to ensure the security of information processing and communication, which requires the proper hardware operation processes as well as software and program system processes. The implementation of such security concepts in the business sector is not voluntary: Under current legislation, German companies are legally required to invest in the development and implementation of IT security concepts, in other words, IT compliance.
In addition to voluntary guidelines and relevant security standards such as ISO 27001, COBIT (Control Objectives for Information and Related Technology), and ITIL (Information Technology Infrastructure Library), laws, standards, and guidelines ensure that companies are as fully aware as possible of their actions and liabilities in the area of information security.
Laws on data protection and information security pursue the goal of creating reliable protection for company information in terms of availability, confidentiality, integrity, and authenticity. Compliance with these regulations is a mandatory prerequisite for companies to remain compliant with the rules. One such law is the German IT Security Act, which came into force on July 25, 2015.
Assuming that a company falls victim to a security problem in its IT, what are the immediate consequences?
IT application processes can be severely disrupted and may not run properly due to faulty hardware components such as processors and memory. This can also be caused by errors in system software or in applications due to logical and syntax errors. Errors in network systems caused by hardware components, e.g., cables or routers, or by the network software also frequently occur. If such a scenario occurs, it is quite possible that essential business processes will no longer work properly, resulting in considerable financial and structural damage and a loss of image for the company.
However, targeted cyberattacks are far more fatal than faulty software or hardware. Hackers make it their business to infiltrate foreign endpoints, clouds, and operating systems and steal sensitive data and, for example, blackmail those affected by it (ransomware). The past few years have shown that cybercriminals are becoming more and more cunning and are constantly developing new avenues of attack. Most of them are now professionally organized and work with state-of-the-art technology. Common methods of attack used by such hackers are:
Cybercriminals like to incorporate foreign computer systems into botnets – this is an aggregation of compromised PCs and other networked devices that they can control remotely like robots and misuse for their purposes. This requires infecting the endpoints with malware. A common application for botnets is use in Distributed Denial-of-Service attacks (DDoS).
Advanced Persistent Threats (APTs)
These are targeted cyberattacks directed at selected victims or groups of victims using extremely advanced, technically sophisticated methods. Attackers gain permanent access to a network and then gradually (often without the victim even noticing) extend this access to other systems. To achieve this, cybercriminals usually plant specially programmed malware.
The term malware includes all types of computer programs that perform unwanted or harmful actions in a system, for example, viruses, worms, and Trojans such as Emotet. Depending on the malware, networks and operating systems may be completely paralyzed.
Ransomware is harmful software that encrypts a system and only allows access to the data once the victim has paid a ransom. This form of malware has been particularly popular for several years. Well-known examples are the crypto Trojans WannaCry and Petya. Common methods of distributing ransomware are spam emails, phishing, and drive-by exploits. The latter specifically exploit vulnerabilities in browsers, browser plug-ins, and operating systems.
Spam and Phishing
Spam refers to unsolicited email and is a popular means of spreading malware. Phishing emails, however, are a special type of spam that induces the user to perform a certain action – for example, to disclose login credentials or even bank details or to install malware.
What are the main approaches companies take to improve their IT security?
This is actually self-explanatory – IT security and information security are by no means just a question of technology. The greatest weakness in this construct is, in fact, humans. Cybercriminals exploit ignorance and uncertainty in dealing with IT, for example, by using social engineering or phishing scams to gain access to networks and systems. This is why it is important to train employees and raise awareness of IT risks and IT security. Online training courses with interactive exercises are recommended. Employees can take these courses on their own at any time and receive direct feedback through the interactive component for a quick learning effect.
This is an outsourcing model in which security management is completely entrusted to an external service provider. The service provider provides the required security applications and takes over the configuration and operation of the tools for companies.
A bundle of processes that originally came from software development and view IT protection as a holistic concept. Components of this are concept creation, functioning information management, security in the development process, and, once again, extensive training for employees dealing with the issue.
As previously mentioned, there is a large selection of security solutions such as firewalls, virus and malware scanners, content filters, and intrusion detection systems; they are available in a variety of price ranges and performance classes. There is also a choice between specialized devices and UTM (Unified Thread Management) appliances. The latter combine multiple functions into a single appliance, making them more suitable for small to medium-sized businesses.