If you're new to information security or find it a little confusing, this is a simple analogy that may help: information security is like your health.
Foreign entities are perpetually trying to gain access. Some are successful but do no real damage, while others disrupt processes and weaken your ability to function; and some of these foreign entities can gain access and be present for long periods of time, going essentially unnoticed.
Naturally, you have some common weak-points where it's easiest for foreign entities to gain access. All of your points-of-contact with the outside world: your eyes, nose, mouth, skin -- are known weak-points that require some extra attention in order to keep you healthy. Just like your health, your company's points-of-contact with the outside world are also weak-points that are susceptible to attacks.
It's no accident that the word "virus" is used to describe incidents with both your health and data security. A virus is a foreign entity that gains access, injects itself into your system, and wreaks havoc (some more than others).
What does an Advanced Persistent Threat (APT) look like? This is a type of threat that has considerable resources, doesn't give up when gaining access proves difficult, and is happy to gain access via different weak-points. Do you have any allergies? Allergy medications have come a long way in recent years, but what happens as soon as you let your guard down? Inhaling the irritants, rubbing your eyes, eating them, getting an irritant on your skin… there are a number of ways these irritants can gain access, and you have to be ever-vigilant in both prevention and treatment when prevention fails. Keep in mind that if an infection or adverse reaction to an irritant is severe enough, it can actually kill you - and the same goes for your company.
Think your company is too small or not an attractive enough target to worry about IT Security? Think about children for a moment: easy targets, their immune systems aren't as mature, and they're always coming into contact with something potentially harmful. Small & Medium Businesses (SMBs) have a tendency to see being a smaller target as a benefit, but in reality this is a numbers game. If SMBs have less mature immune systems, that makes them an easier target and you can attack large numbers of them, which makes them just as valuable as gaining access to a larger Enterprise (a trend we saw developing as early as 2010).
And just like your health, you've got a few options for care-providers to help you ward off and deal with attacks on your system. You can go with a provider who has the lowest cost, or a provider who has the largest staff, or a provider with experience and expertise in the areas you need most. It may be easier to think of providers as General Practitioners, large Healthcare organizations, and Specialists, and you get to choose which type of care you want your company to have.
So, what steps should we take to protect our health (data security)?
- Regular check-ups with your doctor (system scans, penetration tests, social engineering tests),
- A preventative maintenance routine (traffic regulators and monitors - like Firewalls, IDS/IPS, UTMs),
- Keeping abreast of health concerns, outbreaks, and advances in modern medicine (information security training programs for staff, utilizing industry information sources, and using the most up-to-date tools and services designed to keep your company healthy), and
- Choosing a provider that is the right fit (General Practitioners, large Healthcare organizations, or Specialists).
Hopefully, this analogy has helped Information Security make more sense. Essentially, you are protecting an organism from attacks, it's an ongoing process, and there is an industry designed to help you do so. Here's to your health!