By Subramanya C, Chief Technology Officer, Hinduja Global Solutions (HGS)
This article has been published in CIO Review.
Every organization today is undergoing a transformational journey owing to the technological advances wherein information and data are becoming the most valuable assets. This data, like any other valuable asset, is exposed to potential cyber threats and risks that could lead to financial losses and must be protected. Organizations are not only seen to experience increased risk susceptibility but also investing in setting up a security framework to avoid being exposed to such risks.
Enterprise Information Security Management – Not a technical solution anymore
Enterprise Information Security Management is no longer considered as simply a technical solution now. It is as significant as a business function in any industry today. However, investing money on information security does not prove that organizations are doing enough to ensure enterprise wide security is assured. In my view, organizations and technology teams investing and setting up firewalls and assuming that we are secured is not sufficient. In addition to this, having a formal education in the organization and defining a formal Enterprise Risk Management process is becoming increasingly critical to measure maturity of information security in organizations.
Investing in the creation of an Enterprise Information Security Policy is a good way to ensure that a security framework has been defined to initiate as well as control the implementation of all kinds of information security practices. The primary objective of the policy is to ensure that an organization’s information and all other related processes and facilities are safeguarded and to mitigate any risk while working with third party organizations. There are a variety of third-party tests that can be used consistently, and among these, penetration tests and vulnerability assessments are the most common.
Pen Test – How it helps?
A penetration test, also referred to as a pen test, is an attempt that organizations take to evaluate the security standards of the IT infrastructure in the organization and to check for exploitable vulnerabilities.
Pen tests should ideally be performed on a regular basis, in order to ensure consistency and smooth functioning of the IT infrastructure and network security management. The test can also reveal how the newly discovered threats or any emerging cyberattack vulnerabilities may potentially be used by hackers and attackers.
It is a commonly known factor that organizations wait too long to run security tests and vulnerability scans, or only conduct them when there is a deadline approaching, ticking off the security audit or if it is required by the law. Unfortunately, most organizations conduct a pen test only when they have been scorched. Pen testing, over the past few years, has transformed rapidly. It is now more than a scan that runs to evaluate the vulnerabilities and tick off the compliance boxes. It is run at regular intervals to outpace even the sophisticated enterprise attacks and match up to the ones that are planned and programmed by the highly skilled cyber criminals.
Before conducting a pen test, there are a few factors that should be taken into consideration, including:
- The possibilities of facing a cyber-attack in situations when companies hold information that are critical
- Compliance issues and requirements
- Employees using open source software and applications that are more vulnerable to automated attacks
- Significant changes in company infrastructure or network
Apart from the scheduled analysis and assessments that are required to be conducted as per regulatory mandates, pen tests should also be run in cases of:
- Addition of new network infrastructure or applications within the same IT infrastructure
- Application of significant upgrades or modifications to existing infrastructure or applications
- Establishment of new office locations
- Application of security patches are applied
- Modifications of IT policies for employees and end users
Similar to the pen tests that are conducted within the organization to keep a check on possible external attacks, internal penetration testing is also an integral part of IT security management. Given the increased usage of smart phone devices and the culture of BYOD (bring your own device), it is now extremely important to keep a check on the safety of using these devices within the organization premises.
Enterprise security has now become an issue of employee education and duty as well. There are multiple touchpoints within and outside the IT network where employees can fall prey to phishing schemes and automatically invite risk for the organization. Owing to flexi-work and work from home cultures, employees access and use organization’s assets that are Internet facing (such as email, VPN, web, file sharing) more often than they used to. This puts the organization at additional risks, which are under less control and need to be considered more strongly than before.
Undoubtedly, there is much complexity to the development, implementation, and maintenance of any enterprise information security system for an organization. As members of the senior management, we always ensure that we provide the best solutions to drive up productivity within the organization while we mitigate and manage any probable risk. While you communicate and create awareness about cyber threats, make sure that you also keep a check on any data leakage. In the growing digital economy, more eyes and ears on the ground would ensure better security risk coverage for the organization.