The story of the IT manager and the six golden rules
9 min read
27 February 2018
Once upon a time, in an enterprise far, far away, there lived a valiant IT manager and team. The team kept its company’s precious data safe from the evil, horrid hackers. One day, a breach occurred and sensitive data was stolen. Luckily, the company recovered – but only just.
The IT team realised things had to change. Undefeated by the hackers and spurred on by the event, the IT manager embarked on a quest to find out how to keep his company safe. Some time ago, he heard of the myth of six mystical IT experts, who held the golden rules for data and enterprise security. Spread across different lands, the IT manager travelled far and wide to find each expert.
In the Kingdom of Aeriandi, the IT manager met Tom Harwood, its CPO and co-founder. His rule was to protect the contact centre: “Company castles spend vast sums on keeping data secure, but often overlook the contact centre. This area acts as the castle’s ear to the people, listening to the problems of regular townsfolk and taking payments for castle services.
“But the contact centre also manages sensitive townsfolk data. This area is constantly under attack. Telephone agents are particularly vulnerable to social engineering and manipulation. Often, pesky criminals will gather small amounts of personal information from social media sites and attempt to manipulate contact centre agents with dark magic.
“While customer experience is important, protecting payment data should be the number one priority. The best way for kingdoms to protect townsfolk’s data is ensuring payment details never enter the castle’s contact centre from the outset. With no card data being stored, processed or transmitted through the castle’s systems, the dark magic threat is removed and the kingdom lives happily ever after.”
Next, the IT manager travelled to the Land of the Cloud, where he met Eduard Meelhuysen, head of EMEA at Bitglass. Meelhuysen’s rule was to take responsibility for the cloud, and be aware of its shared responsibility model: “Many company kingdoms have experienced the dangers of having data exposed in unsecured cloud storage databases. Most recently, the kingdom of Octoly unintentionally leaked the details of citizens. These exposures are difficult to stop because they typically originate from human error.
“Under the shared responsibility model, the public cloud vendor’s role is to protect infrastructure and applications so that kingdoms can use them without fearing security flaws. However, responsibility for data stored in these applications and for access to that data is bestowed upon each kingdom. Unfortunately, some IT knights are unsure of their cloud responsibilities, increasing the likelihood of exposures.
“Furthermore, the cloud setup process can be perilous even if one has received ample training. Because of this, kingdoms using the cloud must leverage at least some of the security powers available to them – either from public cloud providers, IDaaS providers, or CASBs, which provide visibility and control over cloud services like AWS. Kingdoms should also reinforce basic security best practices such as limiting access from outside the corporate castle and encrypting highly sensitive data.”
The IT manager visits the Cybersecurity District on the next page.
The IT manager then walked hundreds of miles to the Cybersecurity District where he met two experts in the same day! Firstly, he spoke with Stephen Moore, chief security strategist at Exabeam, whose golden rule tackled the insider threat:
“There are some hard truths to accept when defending your IT Kingdom. One truth is that you can’t always trust your citizens – the employees, third parties and machines operating inside your network. Network defences are commonly toppled from the inside, and this kind of threat can be much harder to detect.
“On the one hand, an external adversary could gain access to your system using stolen credentials from one of your trusted insiders. The compromised individual is unaware their credentials are being used. On the other hand, you may have ‘malicious insiders’ in your network – employees working for their own benefit. Malicious insiders may be selling your secrets to competitors or may have other reasons to cripple operations.
“For this same reason, it’s important to monitor the accounts of those who have recently left the company. You also need to understand the normal behaviours of everyone that accesses your network. When you know the typical behaviour of your network citizens, you can more easily spot anomalies. To do this, you need a means to track each and every activity and pull this together into a single storyline.”
The IT manager then spoke to Jan Van Vliet, VP and GM EMEA at Digital Guardian. He suggested people stop focusing on protecting the network, and instead focus on protecting data: “A common mistake is to think data is safe because it resides within the company fortress. Thanks to flexible working, data travels to distant shores and beyond! This means IT teams have to protect data that they cannot touch or see.
“No fortress is completely unassailable – and IT teams must prepare for the inevitable breach. Using data-centric security technologies can prevent theft of sensitive data. It will also ensure that even if someone has access to the data, they are prevented from copying, moving or deleting it without approvals. This technology limits the threat from human error or insider threats, as people quickly become aware of the impact of their actions – whether deliberate or a genuine mistake.”
Spurred on by finding such helpful experts, the IT manager travelled to the River of the MSPs, where he found Dave Ricketts, head of marketing at Six Degrees. He suggested outsourcing when necessary: “Keep evil hackers at bay by enlisting a team of technology experts who can provide the security and management your kingdom’s data needs to stay safe and compliant.
“With increasing incidences of breaches and legislation, strengthening your armour by investing in external assistance can be just the support and assurance you need. Many experts or multi-service providers (MSPs) have data centres that are correctly accredited and certified, adding an extra layer of assurance that your data is secure and compliant.
“Combining the increased security of a separate IT environment with the improved operational performance and economics of using a data centre would be the double protection equivalent of a moat and a secure drawbridge around your data.”
Finally, the IT manager climbed the Hyve Hill to find Jon Lucas, director at Hyve Managed Hosting, whose golden rule was to understand that fairy tales can teach essential lessons: “Whether it’s the misplaced trust and deceit in Little Red Riding Hood or the costly shortcuts taken by the Three Little Pigs, fairy tales remind us of the grim impact of making poor choices.
“But all these issues and more – trust, deceit, good vs. evil, danger and disaster – are part of today’s IT security narrative. And the most common thread for most security problems is that we don’t learn from the past. The same mistakes are made. We need new priorities and perspective. Individuals need to take greater responsibility, and companies need to do what’s right.”
With these golden rules, the IT manager travelled back to his enterprise more knowledgeable and confident than ever before. By implementing the experts’ changes, the IT team lived happily ever after, and their company data stayed safe forevermore.