Images

IT security puts companies under obligation. © CGI

Many companies, especially in the SME sector, invest insufficiently in IT security, usually for cost reasons. This approach can work for a long time, but it doesn't have to. It harbors a high risk potential and can result in considerable damage. In particular, the legal requirements (including the IT Security Act 2.0 or GDPR) are putting SMEs and operators of critical infrastructures under considerable pressure. The possible consequences of negligent handling of information security range from simple data theft, industrial espionage and denial of services to blackmail - keyword ransomware. Companies should also not ignore the ever-increasing fines imposed in the wake of GDPR violations: Fines in connection with the IT Security Act 2.0 are set to be significantly adjusted this year.

Risk assessment is the starting point

Concept for the introduction of security processes. © CGI

A comprehensive risk assessment - according to the BSI, a structure and protection requirements analysis or, as part of business continuity management, a business impact analysis - is always the first step in defining a security strategy and implementing an ISMS. It makes no sense to take security measures if the risks have not been analyzed and assessed. The result of a risk analysis can also be, for example, that certain security measures are not taken because the effort involved is disproportionate to the potential damage - the saying "don't shoot sparrows with cannons" also applies here. On the other hand, IT systems that are crucial to the company's value creation must be protected to the maximum.

A holistic risk assessment is therefore an indispensable basis for an efficient security strategy. The minimum requirements include clarifying the following questions:

• What does my information network look like? Which IT systems are available? Which business units use which systems?
  
  
• How vulnerable are the systems really? Are the IT systems only targets of script kiddies or also of criminals or even external services?
  
  
• Where does data leave the company? What do the interfaces look like?
  
  
• What happens to the business if certain IT systems fail?
  
  
• How likely is a failure - whether due to an attack or a technical defect?
  
  
• How much will it cost to fully or partially restore operations after a failure?
  
  
• What other costs does a failure entail, for example with regard to fines due?
  
  
• How much does a comprehensive backup of all relevant systems cost?

Solution selection and employee qualification

Based on the specified strategy, the necessary security solutions and tools must be introduced. It is necessary to evaluate the solutions in question, carry out cost-benefit analyses and clarify installation, operation and maintenance issues. Under certain circumstances, the use of consulting services from external service providers can be useful in this process. Complete outsourcing of IT security can also be a recommended approach for many companies due to resource bottlenecks.

It is of fundamental importance that the existing workforce can implement the security strategy, i.e. the necessary qualifications must be available in the company. In addition, a company must define responsibilities for the implementation and control of organizational measures and undertake activities to motivate and raise awareness among employees. As part of an ISMS, it is an absolute must to create and demonstrate a training and awareness concept. The question of outsourcing also arises with regard to the security expertise available within the company. A company should consider whether it is more cost-effective to train its own staff or involve external experts.

Overall, a structured approach is required when establishing security processes, whereas selective activities are unlikely to lead to success and a consistently higher level of security. It is also important that the security culture is lived within the company; although management is the starting point, the subsequent awareness of employees is essential.

Despite all reservations about the costs associated with security measures, one aspect should not be neglected. Security is always an opportunity to assert oneself in the market. Medium-sized companies in particular, which act as suppliers to organizations or institutions of high governmental importance - keyword critical infrastructures - must increasingly provide evidence of information security. Security is therefore increasingly becoming a competitive factor.

CGI's recommendation for action

According to CGI's best-practice experience, the following approach to establishing an information security management system has proven successful:

• Basic security check (ISMS quick check)
  
  
• Carrying out a structure and protection requirements analysis
  
  
• Preparation of a comprehensive and detailed risk assessment
  
  
• Definition of a catalog of measures
  
  
• Securing critical assets through suitable measures
  
  
• Taking low-hanging fruit measures to achieve quick success with little effort
  
  
• Securing non-critical assets in a further step

One point must not be ignored: Security is a process, which means that a continuous review of the measures taken in accordance with the PDCA cycle is also essential. This should take place at least once a year.

Andreas Kirsch, Director Consulting Services and Teamlead for IT Governance, Risk and Compliance at CGI in Cologne.