Newsletter & Blog

Security and Risk Management

What is security architecture?  Well, in a nutshell it’s the technical elements of security that are used to mitigate risks to the network.  Many of you may have read or heard of me talking about the differences between IT Security ie, the technical elements, and Cyber Security ie, the risk managed elements, a more holistic approach if you like.  And of course, that remains the case, but security architecture, in order to be fully effective, has to be based on risk management ie, if you haven’t identified the risks, how can be sure that whatever technology you’ve been persuaded to buy, is necessary and effective?


All SMEs will have things like a firewall and anti-virus, possibly going a step further and having some form of end point protection against most malware attacks.  But how did they arrive at the products they have purchased and taken into use.  Well generally that is based solely on the recommendation of whatever IT support company they’ve bought it from.  Usually, the local IT company that they use to supply their hardware and software and who often provide technical support as well.


I’m not against building a relationship with a local IT provider, in fact it’s a very good idea, but all SMEs have to realise that those companies are what is known as Value Added Resellers or VARs.  What that means is that they have a relationship with hardware and software vendors and that their staff are trained in the installation, configuration and sometimes maintenance, of those vendors hardware and software.  Is that a problem?  That depends very much on how the requirement for a solution was arrived at.  Was it based on identifying the risk through some form of risk assessment process, or was it arrived at because that’s the products they sell and are comfortable with?  All too often it’s the latter.


I’ve also talked elsewhere about the other non-technical controls that might be required, such as policies and process, another subject but one which is vitally important and can often be better placed to protect a company than expensive tech.


How many SME owners have had the reasoning behind the purchase of technical solutions explained to them? And to be fair to the VAR, how many SME owners have asked for it to be explained to them?  It is typical, when I visit SMEs, to find that they have what is known as a flat network.  That means that they have one gateway into the network, introducing a single point of failure, and no segmentation within the network.  Lack of segmentation means that once an intruder is in, and often the gateway firewall is a dual firewall/router entry level device, not the best, then there are no other controls to stop the intruder from attacking end points, such as for instance, your finance department/person, or perhaps just taking whatever data they want in a stealth attack, so that you don’t even know it’s been compromised.


Segmentation need not be overly expensive to implement and may save a lot of money in the long run.  But the main point is that unless you have carried out a risk assessment, then you don’t actually know whether you need it or not.  Neither do you know whether your firewall and/or router is up to scratch, whether your anti-malware system is doing what you think it’s doing, whether your policies and processes are adequate for the task and whether your staff understand the issues and dangers.


None of these things need be complicated and difficult but they are essential to adequately protect you against and increasingly sophisticated and every evolving cybercriminal community.


Here at H2 we are always happy to work with local IT providers to design affordable and flexible one-off and ongoing data protection and cyber risk protection services.