As mentioned in the first article, the considerations in the previous episodes are only superficial. Behind some of the aspects and concepts mentioned are more complex challenges for you, which we will be happy to work out with you and support you in implementing.
In this final episode, we would like to explain two important topics and aspects: employee awareness and supply chain control.
Employee attention
Those sitting in front of the computer are of course a “weak point” in the system. The factors that lead to this are manifold. A lack of digital skills, poor equipment with IT tools, a lack of education and training and also a work overload are just some of the possible triggers for a security incident.
The digital identities of your company’s employees are a particular focus for attackers. It’s not for nothing that the saying goes “Nowadays, hackers don’t hack, they log in!”
Special attention should therefore be paid to this area. In our view, two tasks should be particularly emphasized.
Educate/train and listen
You can certainly imagine what “educate/train” means. However, the second point “Listening” is just as important. Create structures in which attentive employees can submit reports without fear, which are taken seriously and dealt with promptly.
Then you reduce the risk that a member of your team who wants to inform the helpdesk about a suspected infection on their computer will be told that this cannot be the case and that they should simply restart the computer.
In this context, the Anglo-Saxon term “awareness” is always associated with the person affected. However, in the context of information security, this is a dichotomous concept and includes those who should and can take care of the incident.
The education and training can be implemented in a variety of ways. Combine several tools, e.g. regular training and simulations (e.g. phishing campaigns, pentests, communication training for IT).
Supply chain control
Admittedly, this is a somewhat loaded word and it has to do with the – attention word worm! – Supply Chain Due Diligence Act. But that’s not the point here.
The consideration of supply chains also plays a role in the area of information security and includes tangible items such as computers and other components and intangible items such as IT services and software. All of this penetrates the virtual perimeter of your company from the outside and influences your security situation.
Some measures are therefore necessary here to complete and strengthen your information security concept.
- Hardware: Buy from trustworthy sources, especially if you are buying refurbished goods. Test the goods extensively before you use them
- Software: Particularly in the area of industry-specific software, it is advisable to take a close look at the product, as business-critical processes are mapped here, where a loss event has a major impact. We would therefore recommend that you take information security criteria into account when selecting a product. How is the system operated? How do you log in? What does maintenance look like? Can the manufacturer provide an SBOM (Software Bills of Material) to support your ISMS (synchronized with the maintenance and development cycle)? This is a machine-readable list of components and built-in third-party libraries with their version statuses. This allows weak points to be identified quickly. You should therefore also consider your procurement processes in the name of information security.
- IT services: If you purchase IT services, there are several tasks for you. No matter what form of service you purchase, define the aspects of your ISMS that the contractor should contractually observe. This will include the form of service, communication structures and necessary security measures that you negotiate with the service provider. There are templates that can be used for this. The best known are the basic and system contracts for public clients and the supplementary contract conditions for the procurement of information technology provided by the BSI. However, please check them carefully and adapt them to your own circumstances.
- And finally: Audit your service provider! If the contractor has a security certificate (e.g. to ISO27001), ask them to show you the basics! After all, it’s your risk!
This brings us to the end of this short blog series. We hope we have been able to take you on a journey through information security management that is worth reading and look forward to hearing from you.
What happens now?
We would be happy to carry out a cyber risk check with you for an initial assessment. A first step in the right direction and the basis for your information security. You can find more information here.