What Should An IT Department Do In Relation To Cyber Security?
UK law firms are now starting to realise that responsibility for cyber security doesn’t just lie within the IT team, and that technical controls alone can’t protect a business from today’s attacks.
I often see the phrase ‘cyber security is a people issue not an IT issue’. It’s true that this needs to be a shared responsibility, but there are some basic things that you should expect your technical team to do to minimise the risks.
Know your infrastructure
It takes an average of 206 days to detect a cyber attack.
This means that a successful intrusion into your network goes undetected for a significant length of time. Your IT team should know normal patterns of behaviour for your network.
The only way to do this is to get to know the heartbeat of your infrastructure.
Early detection of unusual patterns of traffic such as overseas IPs, unusually large amounts of data transfer could help to spot a breach early and minimise the damage, but this is only possible if your team know what normal behaviour is.
The same applies to users.
Whilst user monitoring is often a controversial issue, it’s always advisable to know what regular login times are, email volumes etc. for your users. Anomalies in this could highlight the work of a malicious insider or a user whose credentials have been compromised.
Be smart with Domain Name Systems (DNS)
Basic email security is essential. User training is crucial, but every IT department should have implemented basic DNS protections for your domain.
This should be a combination of SPF, DKIM and DMARC as a bare minimum. DMARC is recommended by the National Centre for Cyber Security and there are some really good tools around to help with config so there should be no excuses here.
If not the most basic yet vital protection.
The WannaCry ransomware attack of 2017 spread so rapidly due to unpatched operating systems. Under no circumstances should a firm be using legacy systems that are unsupported by the vendor.
Make sure your team are applying patches as soon as they are released and keeping logs of when systems and software are patched.
It’s particularly important to regularly patch particularly vulnerable software such as Adobe, Java and WordPress.
On 14th January 2020, Microsoft announced that it would no longer be providing technical support for its outdated operating platform Windows 7. Two final patches were issued at the end of January, but now the system lies vulnerable as no other updates are said to be sent out. Upgrading your operating platform to a newer version will prevent this issue from becoming a problem.
I have lost count of the number of times that I’m asked to provide temporary admin access, make an exception to a control for the benefit of speed etc.
Access control processes are there for a reason. If they are often bypassed, they become not worth the paper they’re written on and can leave a firm open to attacks through elevated permissions.
These attacks need not be malicious but more so a careless action by an employee.
Keep up to date
IT departments should keep up to date with industry and global cyber security trends.
I would expect my team to be familiar with the latest attacks and to make recommendations to prevent similar ones happening to us.
Although this research and reading takes time, it’s a worthy investment.