Proactive Approach to IT Security

cibersecurityframework
Written By Patrick Moran

Aligning to a Recognised Security Framework Standard

For an overall security baseline, which is measurable, it has become the norm for businesses to align against a recognised international standard.  This is known as a “Security Framework.”

There are many Frameworks out there such as CIS Controls, NIST CSF, Essential 8, SMB 1001 and ISO 27001.  The idea is that by doing everything suggested in these and by ticking every box, it will improve overall security posture and company compliance which is measurable and reportable.

The problem is that these frameworks are designed and applied to large worldwide companies with dedicated internal IT teams who need to do this by law or due to compliance standards within their industries.  For example, the health industry in America uses HIPPA compliance.  Such strict, global standards are often not scalable, practical or budget friendly in their implementation for smaller businesses. 

If you take a hard line and truly follow them to the letter, then they can be restrictive and counter-productive which means you’ll have some frustrated users who simply want to do something simple such as install an app urgently but have to wait to get this approved and then eventually rolled out onto their device by IT. 

Speaking of IT, many IT companies often tap into the international IT security rhetoric and take a hardline stance with their advice.  They will insist that unless you fully comply with everything in their preferred Framework, then you will be putting yourself at risk.  This will be backed up with scare stories and fear tactics.  None of the information they present will be in layman's terms and it will be a shopping list of incomprehensible ingredients! And even if you ticked every box, your safety still cannot be guaranteed!

At Computer Clinic we personally adhere strictly to a security Framework (more information on our website here).  However, for many smaller companies, it’s not always possible or practical to apply an international security framework to a small NZ SMB.  So, Computer Clinic’s approach is to present the information in an understandable format so you can make an informed decision to balance cost versus risk. 

The trick is being realistic and cost effective by working through the critical controls within a framework to ensure you have a solid security baseline.  Then apply these ‘restrictions’ to your systems in a practical way to allow all users to work effectively whilst maintaining a recognisable level of protection.

For example, not being allowed to urgently install apps on your phone whilst in another country (and time-zone) would be very annoying and restrictive as you would have to wait for IT to be available in your NZ time zone to achieve this.  We don’t want you to ‘water down, dilute or ‘bend’ the guidelines, we are simply being realistic and reasonable towards your needs in a way where you will still benefit from many ‘rules’ but will also be able to operate without the need to go through IT support for everything within your business.  For example, an email comes in over the weekend which needs your urgent response, however, this email has been locked into quarantine which means you cannot access and read it.  Often this is due to it accidentally being mis-identified as dangerous by A.I.  You will need IT to assess and release this email, by which time, the deadline has passed.

Computer Clinic’s approach would be to train either yourself or a power user within your business and give them the power to quickly do this for you.  After all, you are best placed to know if this is an email you were expecting or not.  If there was something ‘strange’ about this email, then we are always on-hand to give further technical input.

 

OUTCOME OF ALIGNING TO A SECURITY FRAMEWORK

At the end of working through a Security Framework process, you may wish to tick every box possible to adhere to a security framework.  However, please understand that this still does not guarantee your safety - nothing can.  But using the pros and cons of an internationally recognised framework will provide you with a solid security standard as a measurable baseline.  You will be more resilient to threats and therefore reduce your risk footprint.  Once you understand all the different items in the Framework, you will then be able to make an informed decision on balancing cost versus risk to provide the best level of security for your business in the future. 

 

To book in your free security Framework Alignment consultation, please contact us here.

Patrick Moran
Next

Important Update: Transition to Our New IT Management Platform