BC Practitioner’s Guide to IT Security Concerns

Within their organizations, business continuity (BC) practitioners should be advocates for an active approach to heading off threats to the company’s computing services. Today’s blog will lay out some of the concerns BC professionals need to be aware of to perform this role.

Related on MHA Consulting: The Cloud Is Not a Magic Kingdom: Misconceptions About Cloud-Based IT/DR

All Types of Environments Are Vulnerable

In terms of IT disaster recovery (IT/DR), the biggest concern of the organizations we work with is that they will be victimized by a security-related IT attack such as by ransomware.

This fear is justified. And in connection with it, it’s important to recognize that, contrary to a commonly held belief, cloud and SaaS (software as a service) environments are not automatically safe. These environments are vulnerable to most if not all of the same security threats as old-school on-prem data centers. In managing such environments, hands-on execution might not be required, but active oversight remains essential.

This means that ensuring IT security issues are addressed is the duty of all BC practitioners, regardless of the type of computing environment their company has.

Bottom line: All BC professionals should be conversant with the risks and issues discussed below.

Advocating for Sound IT Security Practices

The role of the BC practitioner in the context of IT security is to be an advocate who makes sure IT threats are known and addressed. Direct responsibility for managing these issues rests with the IT information security team, but the BC practitioner can make a contribution by raising issues and making sure they are dealt with.

This post will provide some of the background knowledge needed to perform this role.

The post covers three main topics: 1) The top current IT security threats and concerns, 2) Issues at an organization that can increase its vulnerability, and 3) Controls the organization can and should implement to improve its security.

Before we get into the details, two points are worth noting:

First, when it comes to heading off IT security threats, it’s critical that organizations maintain a proactive stance. Threats change and organizations evolve, so those responsible for an organization’s IT security at whatever level must work constantly to identify and close gaps.

Second, one vulnerability that has been growing in recent years, to the point that it’s worth calling out up front, is what’s known as shadow IT. Shadow IT is when individuals at an organization who are not in IT set up accounts with subscription services (such as Dropbox or Slack) without IT’s knowledge. The connections established between the organization and the service vendor can add risk by creating potential vulnerabilities. However, since IT doesn’t know about them, it can’t guard against any negative effects. Such services can bring great value but it is important that they be brought out of the shadows.

A final note: The information below is validated by the experience of MHA consultants. It draws heavily on two excellent publications by the Cloud Security Alliance, a not-for-profit organization promoting cloud computer best practices. They are: “Top Threats to Cloud Computing: Pandemic 11 Deep Dive” and “SaaS Governance Best Practices for Cloud Customers.” Both are recommended and available for download from CSA at the links.

Current Top IT Security Concerns

The following is a list of the current top IT security concerns. All have played a role in recent breaches. All need to be considered as part of an overall security program.

• Insufficient identity, credentials, access, and key management
• Insecure interfaces and APIs
• Misconfiguration and inadequate change control
• Lack of cloud security architecture and strategy
• Insecure software development
• Unsecured third-party resources
• System vulnerabilities
• Accidental cloud data disclosure
• Misconfiguration and exploitation of serverless and container workloads
• Organized crime/hackers/APT
• Cloud storage data exfiltration
• Staff who fall prey to social-engineering attacks and inadvertently click on malicious links or provide sensitive information to hackers
• Malicious individuals who intentionally cause harm (whether as a result of criminality, disgruntlement, being bribed or blackmailed, or some other reason)

Conditions That Exacerbate Vulnerability to IT Threats

All of the threats listed above can become more damaging to the organization if certain negative conditions are present in the environment. Below is a list of those conditions:

• Server and services sprawl. Obsolete and unpatched servers or subscription services can proliferate in an environment, creating vulnerabilities.
• Sensitive data at risk within the various services. Given the ease of creating services and integrating between the services, sensitive data could be compromised or stored in unapproved locations.
• Security of services both current and offline and dormant services. The longer a service or server is offline, the further it will deviate from the secure baseline.
• Lack of visibility and control over vendor management environments and networks. Traffic moving between environments may not be visible to your monitoring or included in your security protection processes.
• Resource exhaustion. Many virtual environments are over-allocated, particularly if the devices running all utilize their max configured compute or memory configurations. These configurations can lead to significant performance degradation. Remember, a vendor has the same vulnerabilities.
• Information security management. Ensure all appropriate organization policies and standards are considered and addressed. Understand any gaps and document any gaps or exceptions.
• Account or service hijacking. This can be due to how access via self-service portals can be compromised by human error due to phishing and other attacks.
• Workloads of different trust levels located in the same service or environment. Different workloads should run on different services. For example, you should segregate based on dev/test from production or applications with sensitive data from those without.
• Risk due to service provider APIs. APIs used to communicate between the environments can be a significant risk.
• Mobile device management. Given the access to services is often via mobile devices and that security is not part of the vendor or cloud provider responsibility, ensuring proper MDM including wiping devices is key in today’s environments.
• Human error. These errors can be inadvertent or planned.

Controls to Apply to Enhance Security

Fortunately, not everything in IT security is a threat or aggravating condition. There are also controls that can be applied to reduce an organization’s vulnerability to threats and tame the conditions that can make them more damaging.

Below is a list of such controls. Organizations should include these in their IT security program to ensure proper protection for their services.

• Information security policies and procedures
• Asset management
• Mobile device management
• Asset management
• Access controls
• Encryption and key management
• Operations security integrated with the providers
• Supplier management
• ISTM processes integrated with the providers
• Compliance with organization policies and SLAs

Boosting Security and Improving Resilience

Business continuity practitioners have a vital role to play as advocates for ensuring that IT security threats are recognized and addressed. To do this effectively, they should inform themselves about such threats, starting with the recognition that all types of environments are vulnerable, including cloud and SaaS ones.

In today’s world, IT threats such as malware and the risks posed by shadow IT abound. However, by being cognizant of and reducing aggravating conditions and applying the controls to enhance security, organizations can make their IT systems more robust and their organizations more resilient.

Further Reading

• The Cloud Is Not a Magic Kingdom: Misconceptions About Cloud-Based IT/DR
• BCM Basics: Modern IT/DR Strategies
• You Still Need to Drill: IT/DR Testing Is as Important as Ever
• Learning to Talk to Your IT/DR Colleagues
• Zero Trust Security: What BC Practitioners Need to Know