Unfortunately, IT security is not prioritized in many companies yet. But our future will be highly digital and it is time to focus on data security and data sovereignty!
We have compiled an overview of the topics that are relevant for a secure IT environment. To speak of a 100% secure environment would be presumptuous and simply untrue – because hardly any hardware, software or internet provider will succeed in making a system absolutely secure. However, there are many topics that have been neglected until now and which should be tackled quickly.
The location of the system is the first critical factor of the most secure IT environment possible. Many companies currently rely on well-known applications on public servers of Google, Amazon or Microsoft, just to name some major players. As convenient as this solution may seem, there are serious security issues to take into account, especially the so-called “Cloud Act”, which allows US authorities to view data stored on the servers of US companies. It does not matter in which country of the world the company using the servers is located or in which country the servers are located. New technologies such as “confidential computing” will remedy that and we can’t get them soon enough.
Apart from the legally authorized access of third parties, the user never might know who else has access to the servers and infrastructure. According to the GDPR, almost all providers of public clouds for companies have issues with external access. Of course, also hosting the infrastructure inhouse does not always guarantuee utmost security. We can only recommend to spend some serious thought on the available options and thus make an informed decision regarding the location and access of your infrastructure.
Any software whose source code is not open to anyone but its developers is a black box for all others. This means that no one can really check what exactly happens in the code, whether data is leaked or whether the program is properly protected. Does my software pass on data to the developer? Will the software vendor inform me in time about security gaps and updates? These questions are often somehow answered in the terms and conditions, but many users rarely read these documents, the wording is (sometimes intentionally) complicated and long.
Convenience and habit have led to a dangerous imbalance here and hardly anyone reads the preceding GTC. Otherwise it is hard to explain why so much private and also confidential business communication is handled via insecure applications.
The so-called shadow IT refers to systems that are used in companies without the IT department of the company “knowing” about them. This includes not only unauthorized software on service devices but also private devices at the workplace, insofar as people use them for dealing with work-related topics. Probably the best known example here is the use of WhatsApp for corporate chats. This is not only alarming because probably only a few have purchased a commercial license for it, but also because this practice endangers data security in companies.
Dissatisfaction with Business Collaboration Tools promotes Shadow IT!
If employees are not happy with the provided software, they will use their own tools to collaborate, even while knowing that the software is not sanctioned by their IT department.
Therefore it’s crucial to provide collaboration software that is tailored to your team’s needs to avoid Shadow IT.
How can you do this?
Involve your team in the process and make sure to get feedback!
Make sure you have a clear picture of your overall communication and collaboration strategies before starting to implement single collaboration tools one by one.
WhatsApp is one of the world’s most widely used messengers, and the volume of malware for such popular products is correspondingly high. If private devices are integrated into the company network or used to conduct corporate activities, considerable financial damage may result. WhatsApp being owned by Facebook, there are two more problematic aspects: the location of the servers and the headquarters of the provider (Cloud Act), and that it is a black box. This news post from the EU Parliament was particularly alarming for us. The left-wing fraction in the parliament wanted to use the messenger “Signal”, this was rejected by the parliament due to security concerns and instead WhatsApp was recommended. After a wave of indignation they finally recommended Jabber and wanted to check Signal.
Physical loss and loss through technical failure
Also worth considering is the limitation of damage in the event of loss, theft or technical failure. In case of theft or other loss of equipment, an immediate device lock should be initiated. The use of e.g. password managers also involves certain risks, for example if a notebook is stolen but the password manager does not log off as soon as the notebook is shut down or closed.
All team members should be trained for handling their devices and data in a secure manner. There is only limited protection against technical defects, but all employees should be prepared. Regular backups are part of a responsible handling of sensitive data, such as sensible monitoring of hardware, e.g. infrastructure or storage. In the case of a defective drive, for example, complete recovery is almost impossible, which is why backups and/or redundant systems should be available at best.
Make sure that you select the hosting option that best suits your need, whether it’s in a public or private cloud, or on premise. And take care of security aspects to regain data sovereignty.
Open Source instead of black box software
In addition to the much-mentioned cost savings, the use of open source offers above all the auditability of the source code. Anyone who uses open source software in their company can check the code or commission experts to do so at any time. This means that the source code is transparent at any time and offers much more freedom for individual adjustments. Today, open source is one of the most mature options offered by the software world and, with regard to the GDPR, also one of the most secure solutions.
Strict separation of private and business applications
Ideally, private devices are not used for business purposes. However, if this is impossible, employees need to be trained in handling sensitive data. For example, access rights should be checked for every application on tablet and smartphone. Does the Bluetooth grill thermometer absolutely need access to my phone book? Does this or that application really need to access my microphone? Security trainings should therefore cover in detail how to remove permissions from apps and other applications that are not vital or where to find this information about access rights before downloading an app. Instead of software that is actually intended for private use, companies need to think about procuring software solutions that meet their security requirements.
Software updates and installation of current patches
Keep all applications on PCs, notebooks, mobile devices and servers up to date and make sure to apply updates and patches as timely as possible. Unfortunately, executing updates is not very popular due to the time required. However, if these updates are ignored, they will affect the usability (new or improved features) and will open up security leaks for attacks by unauthorized persons or viruses. Inform employees regularly about necessary updates or centrally implemented or planned adjustments. A broadcast message via the internal messenger (e.g. VNCtalk) is perfect for this. Avoid shadow IT in your company!
Tailor-made solutions for your own communication needs
In order not to be dependent on black box applications, it is possible to license an individual solution based on open source. Open source is not automatically freeware, but in most cases costs are significantly lower than for closed source applications. Further advantages of Open Source are the scalability and numerous individualization possibilities. Instead of a prefabricated system with missing or undesirable functions, VNClagoon, for example, allows you to create completely new application packages according to customer requirements. These individual solutions can not only strengthen security in the company, but also, for example, implement a company’s corporate design by customizing the UI, thus creating not only a secure, but also intuitive and visually appealing environment.
In addition to regular backups, safely hosted open source offerings in particular offer great flexibility and security. Shadow IT and public clouds, which are used by countless other companies but whose source codes cannot be viewed, represent a considerable security risk for companies and public authorities alike. Regular checks of your own hardware and software as well as employee training in handling sensitive data and private applications in the corporate environment can help to increase the security of your own IT infrastructure.
Do you have questions or other IT security-related issues that should be discussed?
Please contact us: firstname.lastname@example.org