IT security in a digital age - can we connect everything and protect ourselves at the same time?

Today's production facilities are constantly connected, machines can be controlled remotely via the internet and data can be exchanged within a few seconds. In step with digital development, we see more and more examples of recurring, frequent and more or less sophisticated cyber attacks. This is the new normal and something we must be prepared for.

Today's IT environments consist of a jumble of systems, applications and programs, each maintained by one or more vendors. Often an entire industry uses the same vendor and the same type of system, application or software. Updates must be done regularly and quickly. Frequent shortcomings in the controls of what you put into production, there is no longer any test environment, and most things go automatically. A clear example of this was the update of software from Kaseya that affected thousands of companies globally, including Coop in Sweden.

Many businesses outsource their operations to so-called cloud service providers. It does entail certain risks, such as the lack of competence internally, but it adds to others. This should not be overlooked. Cloud service providers often have plenty of resources and do good security work, but they are not immune. On the contrary, they have become an increasingly popular target for attacks. If you, as an attacker, succeed in taking down a cloud service, you have taken down several connected businesses at the same time.

Not taking IT security very seriously already at the idea and design stage will lead to large costs once they are to be handled. It's like ignoring a toothache and hoping it will go away, while eventually it becomes a painful treatment and maybe even a root canal.

There are three important design principles to take with you:

1: Minimize the attack surface
The attack surface represents all the entry and communication points that an information system has on the outside. The attack surface can be related to a software (operating system, library, read / write access), a network (open ports, active IP, network feeds, use protocols), a human (phishing, social engineering) or a physical intrusion (such as inside the building).

2: Restrict permissions
The French Cyber ​​Security Agency (ANSSI) specifies this principle as meaning that an administrator should only have access to administrative zones where there is an operational need, without any technical possibilities to access any other zone.

3: Defense in depth
The term Defense in depth comes from the military, and the purpose is to sink the enemy. Threats are countered with coordinated and independent lines of defense. In the same way as a gate, security must be monitored, protected and have a continuity plan in the event of an incident.

Putting these three principles into practice already at the idea stage of an application, a system, a connected object or a software does not of course guarantee full resistance to attacks or intrusions, but it does create an environment where you can do what you can based on the risks that available.

To read more about IT security, there is a longer article by Anne-Marie here. There you can also take part of her tips and advice in working with these issues.