In a recent Information Management lecture we went through the case of iPremier (read the full case) which is a popular case study from Harvard Business School. It was a made up case but the recent high profile hacking stories (such as Gawker) show that companies are not taking security seriously.
The background is that iPremier suffered a DOS attack in the middle of the night which caused chaos in the company. After an hour the attack stopped and the company went back to business as normal. Two weeks later another DOS attack was spawned from the company’s server directed at a competitor which proved that their server had been compromised. The FBI became involved, the competitor threatened to sue and the city analysts were thinking of downgrading the stock.
Our role was to come up with recommendations as to how the processes and plans could be improved for the future. Keeping in mind that the security is about more than just technology we needed to brainstorm around people and processes as well.
1. People and processes
- Develop a business continuity plan (test it end to end including suppliers and keep it updated)
- Develop an IT governance framework that includes security in its remit
- Develop clear reporting lines
- Better training for emergencies
- Trust your technical leaders and make sure they have the resources to lead in a crisis
- Make security part of strategy
- Hire an independent audit team who report into the board
- Hire a security and risk expert
- Develop a better relationship with your hosting provider
- Avoid single points of failure. Separate the server stack so that database, web and file servers are not on the same network
- Use a reputable hosting provider with a world class infrastructure and support
- Make sure all your software is up to date
- Use a combination of hardware and or software firewalls
- Backup and redundancy planning and testing
- Active monitoring
- Strong one-way encryption of passwords
- Use open auth systems such as Facebook connect
I know there are lots and lots of other things you can do but this was the result of a very quick group collaboration.