Home / ICT Security

ICT Security

Share on Facebook Share on Twitter Share on LinkedIn

ICT security is responsible for implementing security measures to protect information using different types of technology. ICT security protects business data, which includes both electronic and paper formats.

It's common to hear the term cybersecurity as a synonym for ICT security. However, cybersecurity is only one of the subtypes of ICT security. Cybersecurity is responsible for protecting company data from attacks coming from the internet. However, company data faces security problems also outside the internet. These problems can occur due to multiple factors that'll be seen below.

What are the threats to ICT security?

To ensure greater protection of business data, companies focus primarily on the following three basic elements:

The repercussions of physical threats on ICT security

Physical threats can occur for several reasons, such as electromagnetic radiation from a wireless keyboard or free access to a resource, for example those from a free Wi-Fi network. In free wireless networks " Wi-Fi networks " there are sniffers. These are systems that " sniff " user data. The sniffers can act to audit the networks, check the company's traffic and monitor its behavior. However, they are known because if you put a hacker can be done with users and passwords, which makes it not very reliable.

The Wi-Fi networks of universities have sniffers to prevent unwanted people from trying to end the system. Therefore, they ask the user and password to the student, teacher or collaborator to connect to the Wi-Fi network. Another physical threat is natural accidents in the environment where the hardware is located, such as when a fire occurs or there is a blackout, the humidity is too high or too low, etc.

What damage can cause logical threats?

Logical threats are programs that are dedicated to damaging the system. These threats take advantage of the failures and weaknesses of a system to attack and access it. These might be:

- Unintentional: this occurs when a programmer makes a mistake. For example, bugs or exploits.
- Intentionally: there are many types of programs that seek to harm. There are malicious softwares " malware ", viruses, backdoors or backdoors, spyware, jokes, dialers,...

The user is the weakest link for ICT security

Company employees are the agents that work most with the data, creating, editing and managing them. The users of the company are considered the "weakest link" since most of the security flaws come from them. Therefore, it's vitally important that they know how to proceed to avoid any improper processing of the data. These users may be acting actively or passively:

- Active: the user seeks to harm the system or subtract information consciously. For example, crackers or black hat hackers, better known as hackers; former employees or hackers trying to get company information or cause damage.
- Passive: the user has unintentionally harmed the system, either due to ignorance or wanting to access information to which he doesn't have access. To avoid the second case, the document management systems structure the access levels.

The training courses for employees should be given in the onboarding, ie, when they come to work in the company. Only the course of onboarding isn't enough, it's necessary to remember the rules with talks to employees from time to time and, if there is a change of legislation so that the laws are respected. If this were not done, users could forget or ignore how to do their job safely. Certain bad practices that users usually commit are:

- Put your passwords in view in post-its and not change it every so often. Depending on the level of security that the company needs, it may be necessary to change the password every 15 days or every 6 months;
- Access with a system that remembers passwords, so you no longer have to type in to enter. If anyone accessed the computer, they would have access to all company files that can be accessed by the user they are impersonating;
- Open the e-mail not following the company's security protocol, thus creating duplicates and a possible information leak;
- Use your own USB on the company's computer, since it's possible that it's infected and the virus is passed to the company's hardware;
- Take home work files, causing leaks and duplications;
- Allow others to see the computer screen. For example, a bank employee shows the screen to a customer with their data. This client can be a good hacker who, just by looking at the screen, can already get an idea of ​​how to sneak into the system.

The ICT security management ensures that all procedures and regulations established to prevent attacks and strengthen the company's ICT security are carried out. One of the main measures is the awareness of the employees regarding the ICT security of the company. For example, when implementing a new document management system. Companies can ask suppliers to, within the course of employee training, place special emphasis on the issue of the ICT security protocol to follow.

In addition to the company's own ICT security policies, employees also have to comply with regional, national or even international standards to ensure the security of their data. Some of these rules may be mandatory, as in the case of the general regulations of data protection " General Data Protection Regulation, GDPR ". The GDPR classifies companies and their data according to their level of data processing: basic, medium or high. If the users of a company are aware and know how to deal with the personal data they work with, it'll prevent the company from suffering from information leakage and unwanted fines.

Others, however, such as ISO standards, aren't mandatory, although they are indispensable when it's possible to carry out certain activities. They are international standards that companies implement to guarantee and demonstrate their professionalism. For example, when a company seeks to obtain an ISO 27001 certificate, which ensures that the best information and information security practices are used. Among the security measures indicated by ISO 27001 is to make regular backups, check that they are correct and that they are restorable if necessary.

This measure isn't something exclusive to this standard, but it's also recommended to do all companies, regardless of whether they don't have that standard. In fact, it's recommended that the company be backed up at least once a day. There are two types of backup copies: full and incremental copies. Full copies make a back-up of all company data; while incremental copies, only copy what has been changed.

Some companies do a full copy during the weekend and incremental copies from Monday to Friday. Thus, if for any reason the system is lost, the copy of the last weekend can be recovered and the incremental ones added. The frequency with which one type of copy is made or another depends on the company's protocols and the type of security it needs.

Types of ICT security

Within ICT security, there are many security subtypes to consider. Cybersecurity has already been mentioned above, then, we will discuss in greater depth the different types of ICT security:

Network security

Network security is also known by its Anglo-Saxon name network security. This security is responsible for protecting the company's network, both at the software and hardware level. Those responsible for keeping the network intact, usable, and complete are the network or system administrators.

Administrators look for the weaknesses of a network and try to carry out proactive measures with which to protect the network from a possible malicious attack. For this, an audit is carried out in which a vulnerability report with the weak points is written.

Cybersecurity

The cyber security seeks to prevent and protect themselves from uncertainty over the Internet. Therefore, cybersecurity focuses on the way in which information is sent and received in browsers.

In addition, cybersecurity is closely related to network security. In many cases, it's even common for these two types of security to overlap, for example, when a network interacts with a web application. In this case, to avoid sending information throughout the network, companies block possible intrusions with firewalls, anti-malware and anti-spyware.

Moreover, to protect communication channels, cybersecurity of implements enterprise protocols TCP / IP and encryption Secure Sockets Layer " Secure Sockets Layer, SSL " or security of the transport layer " Transport Layer Security, TLS ". Other protection methods are security tockens, WebSockets, end-to-end encryption, etc.

Cloud security

Cloud Security is becoming increasingly important as companies have increased their use of the cloud. This is because many of the services and tools that are developed and hired today are the cloud. Whether they are servers, e-mails, data storage, applications or computing.

The company must establish protocols to protect against any danger arising from the cloud, taking into account whether public, private or hybrid. For this, a cloud security framework is created with the strategy established to manage operations in the cloud, access control, data protection, encryption etc. Here users also have to have their security guidelines so that no infected file is uploaded, as it could infect the rest. The security in the cloud means that the server isn't in the office, but is in another location has a provider. In the second case, server security is the responsibility of the provider. The provider has a team of workers specialized in servers to ensure server security.

In the event that the software is installed locally " on-premise ", it's the company itself that must take care of the security of its servers. To do this, you must take physical security measures where the servers are located. These measures are of the type: fire fighting; secure and limited access to the site; maintenance of optimum humidity level; etc. And, also, establish logical security measures such as: walls, firewalls and user systems and passwords.

The security advantage of the on-premise is that, if the company wants to carry out any changes or customization, they can start instantly without having to wait for the provider. If the company doesn't have a specific and specialized team in the maintenance of the servers in the premises, it can also outsource this service to a company that's dedicated to it.

Device Security

This type of security, also known as end-point security, focuses on protecting the company at the device level. That is, it strengthens data protection at the time of entry and exit.

Therefore, any device that intends to access the business network must be authorized to guarantee security. These devices can be smart phones " smartphones ", computers, laptops, tablets, wireless points of sale " wireless ", among others. In the case of smartphones, if the platform you're going to work with is through an internet link, it's easy. The added complexity appears with the operating systems, which for everyday operations don't give problems, but when the mobile must access a software it's more complicated.

Some companies provide mobile devices to their employees or offer them the " Bring Your Own Device " " BYOD " mode to work outside the office. Both the software provider and the company administrator can register or cancel the authorization of the devices. Therefore, if the device has been stolen, it must be immediately notified to the supplier to unsubscribe.

The most common form of security on devices in action is the virtual private network " VPN ". This is the case of the previous example, in which to access the Wi-Fi network of universities, the user and password must be inserted in the device. In addition, if an unauthorized person attempts to enter the system through a system, the fingerprint will identify the intruder, access will be denied and the supplier will be alerted to take appropriate action.

Another security measure that companies should take is to disable the possibility of connecting a USB device and uploading company files to any external file hosting server, for example, Dropbox, since it doesn't commit to the server is in Europe or that it complies with the GDPR standards. By denying the connection, the company is protected in two ways: one, preventing any malware from being found on the user's USB device; and the second, preventing data leakage.

ICT security in a document management system

ICT security is very careful with the company's files, which is why a document management system plays a great role in security. Among the different measures for the protection of data with document management is included: establish users and password and different levels of access control. With this measure, employees who shouldn't have access to certain documents won't be able to see them or know that these folders exist. Managers may disable the employee's account, but they don't know the users and passwords of the employees. This ignorance prevents documents from being modified without the employee's knowledge and to avoid small revenges that can be taken for personal reasons.

If an employee who isn't authorized to a certain document has to access it, they can be granted a temporary permit. Access is allowed with the concession of the manager or director's key. For example, if a computer engineer wants to access a document that he doesn't have access to, his manager and someone at the address must give him a password so he can access.

In addition, it's recommended to store documents in a document management system. This software allows you to work with documents safely, encrypting the folders where the files are, so that they aren't readable by someone outside the company. The security measures and functionalities of the document manager may vary depending on the way the company works. However, a functionality that isn't usually missing is traceability control, since this way you can know who created the document and who has edited it. In this way, if an error is detected, you can know who committed it or when and proceed to solve it.

Traceability is closely related to version control, since you can go back to previous versions of a document. However, the supplier must be specified whether or not it's desired that the documents can be downloaded. If users are offered the opportunity to download the files, documents must be followed up to find out who has downloaded the document, if it has been sent to someone and if that someone has sent it to more people. If they aren't granted the possibility to download the documents, they will have to be edited from the system, avoiding duplication of the document and data leakage.

The problem of duplicity can also occur if employees pass the files by email instead of by the company system. Since that will have an impact on the number of copies that exist in the document and may lead to error when carrying out a project. For example, if a construction company is going to start building a shopping center and there are several different versions of the document that has been validated. You could start to build a version of the document that isn't correct and, by the time they realized it, it would be too late and the completion date of the work would be delayed.

Another problem of duplication of documents arises when employees print the documents. In some companies the documents are printed so that they are signed or compulsory and scanned to upload them to the system. In this case, two measures can be taken: one would consist of uploading the image to the system and putting it in the folder supplanting the previous version or indicating that it's the updated version and that the one that was printed is outdated. After the correct upload of the new version, it may be necessary to destroy the physical document or file it correctly so that no one without authorization can consult it.

The second measure involves a change in the way the company acts. This change would consist in granting qualified electronic signatures to users who have to certify and sign these documents. By granting them the signature, they could add it in the system version without having to go through print, sign, compulse and scan. This second measure means having to make a greater investment of money, for the modifications, and of time, to teach the staff how it works. However, in the long term it would save time and increase efficiency., since, instead of having to: print, take the document to be signed, signed, and finally scanned and uploaded; It's only sent to the person in charge of signing and, as soon as it's received, you can sign it from the system and pass it to whoever is required.

In other cases, users print the emails not because it's a methodology of the company, but to study them on physical paper, make notes and, thus, then, work on the original or to ask for advice from a partner. This practice is inadvisable as you may forget to pass a modification or see someone who should not. For this, in the courses and safety talks this is one of the topics to be discussed with the employees and they are taught where the comments section of the system is.


See also:
Back to top

Home | About Us | Contact | Privacy Policy | Terms of Use

Copyright 2011 - 2019 - All Rights Reserved