After more than 20 years auditing local government organisations, Tony Krzyzewski (Tony K) says he still sees them making the same mistakes. Here’s his pick of the 10 biggest IT problems – and how to avoid them. Tony was speaking at the 2015 ALGIM Annual Conference in Auckland recently.
1 Get the politics right first
Get your senior execs to understand you have a problem because if you don’t have buy-in at that level, everything else you are trying to do at lower levels will eventually fail. That’s the biggest IT security problem we have. That’s probably what a CIO’s or an IT manager’s job is really about: convincing the CEO that the organisation has a problem and has to fix it.
2 Know your own IT
Do you actually know what you have in your organisation? Do you know what applications your people are using, including ones on the cloud? I had one government department recently run a cloud analysis tool. They thought they had 300 cloud-based applications. They found their staff were using 1800 applications. Their IT dept didn’t even know this was happening. There were no user-enrolment processes associated with these cloud-based applications and when staff left the organisation there was no close-down.
So you need to know what your network is all about and understand it. Even if you outsource, it’s your job as IT managers to understand IT. Know what devices are connected to your network and what your third-party vendors are doing. What controls do you have and how do your third-parties come in? What auditors do you have? It’s your job to know this. And get the basics right. Do the day-today stuff first.
3 Know your network’s boundaries
The edge of your network is probably sitting in your pocket in the form of a mobile phone. It might be sitting on the other side of the world in Dropbox, out of your control. Know what’s connected, how your information flows and how it interacts. Email is not a substitute for a filing system. There’s a massive problem associated with people using email as a corporate information repository.
4 Control access to information
Define who can have access to what. When I do an audit, the first thing I do is simply wander through an organisation’s filing system as a standard user. I can often see core financials, payroll and CEO’s notes: all as a standard user. This is not hard to fix: set up some basic system controls including getting rid of the shared drive.
5 Control usage
Be prepared to say ‘no you can’t’. Be prepared to tell people they can’t use their personal webmail or bring a USB key fob into your environment or connect their own mobile device into your network. It’s your job to protect the viability of the information that you as information managers own.
Confidentiality, integrity and availability: the tenets right from the early days of IT security still apply. Stop unauthorised people getting to information, make sure the information they get to is correct and make sure they have access to it when they need it. Forget everything else. That’s all we’re here for as information managers.
6 Defend in depth
Anti-virus is not a primary protection mechanism: it’s a backstop. You can’t rely on just one mechanism. You need high-end application-aware firewalls these days. You need current technology: next-generation firewalls. You need to white list applications. Stop things running on computers that aren’t pre-authorised to run.
A workstation anti-virus is just the ambulance at the bottom of the cliff. And if you have anti-virus systems get proof that they’re actually installed and running. Don’t just believe what you’re told about this. And check the anti-virus software is installed on all computers in your organisation – not just some of them.
7 Keep current
Patch. Patch. Patch. In the UK, local authorities must apply critical patches within seven days of them being released and all important patches must be installed within 14 days. All other patches must be installed within 60 days. If they fail to do that they will not be allowed to communicate with any central government agencies so they can’t do any education, public health or welfare services, for example. They also have to provide monthly reports showing their patching status.
Audit New Zealand: when are we going to do this?
If you’re not up to date you are going to have an incident.
8 Be aware
Know what’s happening out there. Subscribe to security alerting services. Monitor key systems. Do data access monitoring. How do you know what’s happening in your environment if you don’t have such alerts running?
9 Educate staff
Teach your staff about IT security and cloud computing services. You need a continuous programme in place to educate your staff. We’re very bad at doing this in this country. We assume that people coming on board into our organisations understand what we want them to do. They arrive on the first day and we give them a computer. That’s like someone arriving on the first day and giving them a rubbish truck without any instructions. We have a duty of care as organisations to teach our staff how to use our systems and protect our information.
10 Be prepared
Somebody, someday is going to do something with your computing environment or bring out a piece of technology that you had never ever thought about. There’s a really big wave coming. I’ve been involved in IT from the very early days and for the past few years I’ve been exploring what could happen with the internet of things (IOT). Be afraid. Be really afraid because this is another tipping point in the history of computing.
When the IOT starts arriving and you have devices on your networks or on your wifi that start communicating –and you don’t know they’re doing this – you will start having problems.