Assess risk to manage effects of budget cuts

Signs of economic recovery may be appearing in some industries, but for most organisations - particularly in the public sector - budget cuts and cost savings are here to stay for the foreseeable future.

According to TechMarketView, they estimate that a 10 - 30 per cent spending reduction in software and IT services (SITS) in local and central government over the next two years will be the longest and most severe downturn in the 50-year history of public sector IT.

Even with the recent Government announcement identifying cybercrime as a significant threat to be tackled, spending is still likely to remain flat.

Yet despite these unprecedented financial constraints, there is still an expectation for IT departments to meet ever more stringent and complicated compliance regulations and respond to evolving threats as well as provide new systems for staff that, for example, want remote working and who are actively being encouraged to work online.

So how can IT professionals continue to maximise security without compromising availability? Assessing risk is key to robustly managing the effects of budget cuts. Conducting a comprehensive review of internal and external networks and data will highlight the essential areas that need protecting. It will not be possible to fix all the issues, but prioritising those that are high-risk or compulsory to your business or organisation will help you to allocate spending.

A thorough assessment will also identify the services and software that are being paid for, but that are rarely used. In addition, the review provides a good opportunity to boost IT decision-makers' knowledge in technical issues. Having a basic understanding of the whole range of systems and software being used will help ensure costs are being assigned appropriately.

Once an analysis has been undertaken, there are some core areas that IT departments can focus on.

Create and manage policy

Drawing up policy documents is important in ensuring people understand what procedures are in place and how, and why, they need to follow them. If you don't feel confident to do this, work with a third party to create a future-proof document that ticks all the boxes.

Awareness and education

Educating staff and users about the numerous external threats and the principle of secure working costs very little and can prevent a breach that would most likely cost an awful lot more. Regularly communicate with employees and run awareness training, making them familiar with what constitutes risky practice and what does not.

Passwords

Guessable passwords and poor password policy has been one of the longest-running security issues seen by NTA Monitor.

Make sure the authentication procedure is robust, with passwords having enough characters to deter a typical attacker, but not so many that users need to write them down.

Patching

Keeping systems up to date with the latest patches can be time consuming, but it is the best way to be on top of security. Look out for new patches as they are issued and adopt a set update routine, backing it up with a structured policy document.

Training

Spending thousands of pounds outsourcing to consultants may not always be the most cost-effective solution. Carefully look at the skills and resources you have in-house as internal staff may be better placed to carry out some auditing or compliance roles rather than external experts. Focused training aimed at building in-house knowledge can be highly effective in reducing departmental costs in the long term.

Points of Entry

An attack can come at any time and the likelihood is that it will be against an external entry point, for example the login screen of a web application, or VPN solution. Ensure perimeter security is robust, but not too complex for staff because it needs to be accessed regularly.

Regular testing

Regular penetration testing by an independent third-party provides a real-world view of the current state of security, which simple, automated scans cannot, and will not, do. Create a spec list of what you want to achieve, or a road map of where you want to be in one to three years and then enlist the support of an accredited testing company.

This article was first released on: 9th February 2011