Information Technology Security Risk Management

Information Technology Security Risk Management

Published: Jan 24, 2017

Many savvy cyber criminals today are armed with sophisticated tools and other individuals bring motive and malicious intent. Yet each are eager to exploit human error or technological weakness to do companies harm.  Letting one’s guard down is not an option.

At NEI’s Global Partner Alliance Summit, Greg Keith, NEI SVP, Information Technology Services, presented a concerning look at IT threat trends and NEI security and risk management practices to protect our systems.

IT Threat Trends

A strong, reliable security and risk management program starts with knowing the latest trends to identify risks actively, putting defensive measures in place and having a plan ready to address them. Trending attacks derive from: 

  • Social Engineering Phishing remains prevalent and will escalate. Today, fooling humans is easier than creating a virus to fool software.
  • Ransomware Cyber criminals holding company data hostage is up 1,800 percent since June 2015.
  • Cloud Malware  It’s only a matter of time until the cloud becomes the target of malware and companies need to develop ways to prevent and/or recover from these anticipated attacks.
  • The Internet of Things – Wearable Technologies & BYOD (Bring Your Own Device) Threats This new vulnerability threat occurs when employees of an organization use their own computers, smartphones, or other devices for work purposes and are interfacing with company systems.
  • Insider Threats These are significant and increasing.  Per the FBI, 60 percent of attacks in 2015 were from company insiders.

      -  Inadvertent threats – employees who did NOT intend to do something wrong – decreased 10% since 2014.

     -  Malicious threats – employees who DID intend to cause companies pain – increased 15%. 

The lesson?  Make sure employees only have access to the data they need, and improve employee security awareness to help prevent employees falling victim to scams and malware attachments.

Data Security and Encryption

NEI excels with meeting or exceeding client/prospect security requirements beginning with a comprehensive electronic data security policy for standards and controls across information technology. This includes:

  • application software security to ensure the identity of users using two-factor authentication and data loss protection
  • technology to automatically prevent sensitive information from leaving NEI,
  • use of the latest network defense/intrusion prevention technology,
  • performing penetration tests and vulnerability scans to make sure our systems are secure, and
  • updating malware/virus defense every 10 minutes to ensure the latest protection and internet activity is filtered to prevent access to sites known for threats.

A key element of data security is encryption, and NEI encrypts data at rest and during transmission between clients and service partners. Any data stored on removable devices such as backup tapes, laptops, or PCs is encrypted in case they are lost or stolen. Wireless networks, websites, and any data accessed remotely are also encrypted.

Risk Management – DR/BC

Risk Management can range from countering basic phishing attempts to a natural disaster and building loss. The two pillars of NEI’s approach are Disaster Recovery (DR) and Business Continuity (BC) plans. Our headquarters and off-site back-up data centers support this.

NEI’s DR plans include server backup and continuous replication of data to an off-site, alternate data center for quick recovery of all business operations. Our standards include a Recovery Time Objective of two hours and a Recovery Point Objective of one hour for Tier-1 applications. NEI has an alternate data center capacity for Tier-1 and Tier-2 applications, off-site tape backup, and DR testing. This ensures we are up and running and there’s little-to-no disturbance in operations and customer service.

Our documented BC plans ensure continued operations in the event of an outage or disaster. Just as important as having DR/BC plans is testing them twice per year to ensure they are operational. It involves a coordinated three-team response by our Emergency Response Team (“first responders”), Mission Critical Team (those essential to operations); and Client Communications Team (reporting the situation, impact, and timing).

Always Raising the Bar to Manage Security

NEI manages information security through a continuous improvement program as new threats emerge, regulations change, and security best practices change to combat threats. Our risk management program classifies and prioritizes vulnerabilities based on risk; improvements to the security program are made over time to build a stronger program.  Clients under regulatory compliance require NEI to provide even more robust security protection and risk management capabilities.

Security and risk management is paramount at NEI, and we continue to raise the security bar to protect our company and client confidential information.