Cyber Security

Do you use confidentiality agreements before disclosing information about future products or marketing plans?

This is one of the most common questions we come across when we begin to develop rules for information security. It is equally important to develop plans to deal with disruptions and interferences. These emergency plans, business continuity plans and contingency plans are what often make the difference for a company to survive a crisis.

We analyze the current environment and develop proposals for improvements. This can include policy work, employee training, developing of checklists, operating security issues together with management and ensure that plans are implemented.

Information security is a strategic, tactical and operational work where the common theme is based on identifying a good risk economy, meaning that security costs are balanced against the benefits it brings.

IT and Security Audits

Do you know how your rules are handled in practice? The uncertainty often leads to wrong investments based on subjective judgments.

In our audits, we assume your rules and guidelines, but we also check the relevance against the standards and frameworks such as ISO 27000, ITIL and Cobit. Some examples of audits that we usually do are

  • General IT controls where we verify that a basic control exist.
  • Application audits where we verify that critical applications provide a good internal control.
  • Subject-specific audits, where we consider individual areas or events such as projects, interruption and disruption management, contract disputes, performance issues, management of outsourced operations and validation of systems to be put into operation.

The real benefits of IT and Security audits is that you get a basis for decisions to implement improvements and you create a better standby to manage unwanted incidents.

Why is IT security an ever-current issue?

Society has never been so exposed to threats to IT systems as it is now. “Information warefare” is no longer science fiction, it has resulted in targeted attacks on, among other things control systems and important social functions.

We have seen how computer viruses have escalated in scope and become so sophisticated that they change form and content to circumvent the protections used. Malfunctions and misconfigurations in servers, systems and network components have been shown to open up networks for infringement of a large number of well-known companies where company secret information, personal data and credit card numbers have been lost.

The biggest difference to the past lies in the fact that the threats have become much more planned and personal with a single purpose: MAKE MONEY.

Basically, IT security is about creating well-designed IT systems that can withstand intrusion attempts and limit the effect of incorrect configuration. It is also about creating and maintaining an IT security architecture that can safely manage mobile devices, provide support for active use of social media and manage changes in operations with reorganizations and mergers without compromising security.

When it comes to “Cloud Computing”, IT security concerns are one of the strongest inhibitory factors to dare to take the step fully, which is evident in a wide range of studies. This also applies to outsourcing and collaboration with business partners, where system outages have devastating consequences. When we look at business systems, this means that you have to take the step from the security requirements that exist on the paper to being introduced in IT systems and in business processes. It is about introducing “Identity Management” solutions to prevent outside infringement and that you do not abuse information and privileges internally. It is equally important that data is not corrupted, lost or misused, where redundant systems and secure storage are a matter of course.

In this context, it is necessary to work with measurable security that complements existing SLAs in order to have a good control of the IT environment of IT security.

Your documents may contain hidden information

There is more information than you can believe in many of the files that a company’s employees attach to their email… They contain not only the text you see directly, but also hidden data called metadata, which is simpler data describing data!

Metadata in documents can contain sensitive information that could potentially cause great harm to the company if it gets into the wrong hands. On average, about 10% of all business-related emails contain such, potentially harmful, information according to recent statistics.

This metadata can include information such as the document’s author, date when it was created, previous versions, pasted text, deleted text, traceable changes, and comments. You can also see who sent and received the document via email!

Virtually all file types contain metadata. Due to their wide spread and use in companies, files from Microsoft Word, Excel, PowerPoint and PDF files and images are the most likely to contain potentially harmful metadata.

The consequences of unconsciously releasing hidden data can range from less embarrassing to astronomically costly!

In the latter category we find the drug giant Merck where metadata found in a document proved that they had deliberately erased cardiovascular risk information when using the drug Vioxx before submitting information to the New England Journal of Medicine.

This resulted in Merck having to pay $ 950 million in damages and plead guilty to the criminal charge, according to The New York Times.

New platforms set new demands!

According to a recent survey conducted by the SANS Institute on more than 100 large companies and 1000 smaller companies in the US and Europe, on how they reason about Information and IT security, the following interesting facts can be read:

About 75 percent of the companies surveyed are more or much more concerned about IT security problems and different types of infringement now than they were a year ago.

Over 70 percent of those surveyed are actively discussing how to protect and control access to data in the cloud or virtual environments, via encryption or various authentication solutions. Mobile device authentication, certificate-based authentication, software authentication, and browser-safe solutions top the list of interest in new authentication solutions.

More than 45 percent of those surveyed indicate that they are interested in these new authentication solutions.

Just over 67 percent of those surveyed have come a long way in their planning to implement new solutions for authentication and data protection in the cloud, in virtual environments or in mobile platforms. This development is largely driven by increased use of these new platforms.

More than half of all respondents say they are looking for or will be looking for new solutions to protect and authenticate data in the cloud, in a virtual environment or in mobile platforms in order to implement this within 9-12 months.

In addition, 95 percent of all respondents believe that, although encryption of data or authentication of access to data is important for the future, these solutions must be supplemented by periodic security and vulnerability analyzes of all internal IT systems to verify that all systems keeps the right level. Parallels are drawn to companies that back up their data but then do not check that these backups can be read back, but only discover this at a sharp position where important data cannot be recovered.

It is important that you do not blindly trust that the security solutions you have are functioning properly without actually verifying this fact. If an intrusion occurs, it is also important to be able to identify which path the attacker used to fix the vulnerability and potentially be able to track the attacker.

The fact that more and more companies are adopting new technologies and new platforms also entails completely new requirements for applications and solutions for managing data security, but also means that new methods and tools for controlling the security of these applications and solutions must be implemented.