IT budget planning for 2021 will be dramatically different from any other. The impact of Covid on IT is very evident, but even more impactful is the onslaught of criminal attacks against organizations. If something tangible like fires caused as much damage to American businesses as these attacks, there would be nothing else on the news other than people demanding the government take action. We are under attack as a nation and organizations must make security our chief goal with our 2021 budgets.
Good enough isn’t good enough. We must take these continually evolving threats as the number one existential threat to our organization.
2020 is, in fact, the year where security finally became ingrained in most organizations. The attacks from adversarial actors became so dramatic and skilled that there are no longer pushbacks on implementing security. It is as much true in IT as anywhere that defense wins championships, and 2021 is the year where your defense must be strengthened. These efforts will come at a short-term financial cost, but just as it is true that there is nothing more expensive than a cheap lawyer, there is nothing more costly than security dollars not spent.
The following are some key security areas to be budgeted if they haven’t been implemented yet.
The risk of employees giving up their credentials is constant and real. Office 365 anti-spam doesn’t hold up to the onslaught of spear-phishing attacks. Employees routinely fall victim to these and give up their credentials, putting the entire organization at risk.
The ultimate solution for this is Multi-Factor Authentication (MFA) everywhere. Office 365 and any remote access into the environment (Citrix, VPN, etc.) must be protected via MFA. If an employee gives up their credentials, they can put the entire environment at risk of total destruction. It is an unfortunate fact that every organization has an employee that has given up their credentials. MFA can help protect against these risks.
Implement an effective anti-spam solution
To help defend against the onslaught of spear-phishing attacks, an organization needs a reliable, effective solution. Office 365 is the best communications platform out there, but it’s anti-spam is sorely lacking. There are many other solutions available that do a significantly better job of defending from these attacks. An investment would be extremely beneficial for the organization, protecting from ACH fraud, crypto locker, etc. We can help with recommendations if you’re unsure where to start.
Phishing Attack Training
Employees need to be trained on how to protect themselves against spear-phishing attacks. These attacks are ever-present. Yes, every organization must have processes in place to verbally confirm any changes to ACH payments, etc., but at the end of the day, employees are your ultimate line of defense.
Systems can be put in place where users are trained on how to protect themselves from cyber-attacks. More importantly, they can then be tested through simulated spear-phishing attacks. Nothing does a better job than these simulated attacks to train your people.
Backups just aren’t good enough. At an absolute minimum, an organization needs to be able to snapshot back after an attack. Speed is the essence here. Returning to operations is critical to meet customer needs. Snapshots are often the best way to accomplish this. They allow you to fall back to a solid image of your virtual servers to return to a trustworthy state quickly.
Companies must plan for a cyber intrusion, and these snapshots are often the best last line of defense.
Take the time and ensure your business has adequate cyber insurance. Every organization must plan on being attacked, and having this insurance can be vital in recovering from an attack. Ensure that you have proper coverage and, equally importantly, know how to execute the policy should it be needed.
Personal Identifiable Information
Every organization must review their networks of servers and workstations to ensure that Personal Identifiable Information (PII) isn’t present. We all know that the best way to keep a secret is to not tell anyone. Likewise, the best way to not lose PII is to ensure it isn’t stored on your network. Review your environment and clean out any PII living there.
It is important to not take HR’s word on this. Do a formal review. It is amazing how much PII gets errantly stored in environments accidentally. Do the work upfront and get your environment clean.
2021 has to be the year where Business Continuity is something we do, not something we talk about doing. Now is the time to budget the effort and expenses to implement it. Remember, this is an operations project, not an IT project.
IT must inform the discussion and implement potential workarounds where necessary, but IT cannot make Business Continuity a reality. We must integrate with the business leaders to make this a reality. We will help lead the discussions to ensure the leaders understand what could happen. As we grow to understand how the business can function on a short-term basis without IT, we can help inform how continuity can be achieved.
The ultimate goal should be to turn IT into a competitive advantage. Having strong security is the foundational first step to achieving this lofty vision. To achieve this basic block and tackling must be done. Once in place, organizations can focus on more dramatic reaches for IT where the business truly changes. After all, with the compute power available today, what legacy business process won’t change?
Let’s get security right so that we can move to the next level.