The global information technology industry is worth around $5 trillion. To put that in perspective, the global oil and gas market is worth $5.8 trillion. IT is an enormous industry because every business depends on IT infrastructure. That makes infrastructure security a priority for organizations, from sole proprietorships to multinational corporations and governments.
As a business owner or executive, you are responsible for creating and managing a secure infrastructure platform. But how can you build secure IT infrastructure when your business lacks infrastructure security expertise and experience?
Every business is unique, and there is no one-size-fits-all security solution. However, we can explore five strategies that help companies protect their data while complying with security and privacy regulations.
Why IT Infrastructure Security Is Important
We all understand why IT infrastructure security matters. Leaked private data may have catastrophic legal and financial consequences. Ransomware infections force businesses to choose between losing a valuable asset and handing money to criminals. Cybercrime can take down critical systems, disrupting business operations and damaging reputations.
But few are aware of cybercrime’s true scale, prevalence, and cost.
- The average cost of a data breach in the U.S. is $8.64 million.
- The global cost of cybercrime is an estimated $6 trillion and is expected to grow to $10 trillion by 2025.
- There were 304 million ransomware attacks in 2020, double the previous year.
- The average ransomware payout grew from less than $10,000 in 2018 to more than $233,000 by the end of 2020.
- In 2020, 300 million people were impacted by data breaches.
Cybercrime is a risk every business faces. Asking whether criminals will attack your IT infrastructure is the wrong question. Your infrastructure will be attacked; it’s just a matter of time. The real question is what you can do to make sure that the attackers fail.
5 Steps to Outstanding IT Infrastructure Security
The specifics of IT infrastructure security depend on your business’s infrastructure needs and regulatory environment. An SME storing customer relationship management records in the cloud has different security and privacy requirements from a healthcare provider storing private healthcare information or a payment processor who must comply with PCI DSS.
However, the following high-level guidelines will help any business to build a more secure IT infrastructure.
Build on Secure Cloud Platforms
Cloud platforms are a more secure option than colocated or managed servers hosted in a data center. The self-managed non-cloud option may be suitable for companies with infrastructure security expertise and resources. But for the average business, cloud platforms offer a superior balance of control, cost, and security.
Businesses hosting code on infrastructure they own and operate are entirely responsible for securing that infrastructure. That includes the servers, their operating systems and library code, services such as databases and web servers, application code, networks, and more.
In contrast, the cloud vendor takes care of the low-level security details on a cloud platform, including physical security. That doesn’t mean cloud platforms are intrinsically secure. They are not, but they help businesses with limited security resources to achieve better security outcomes than they otherwise could. They provide a solid foundation on which companies can build secure infrastructure.
Building in the cloud doesn’t absolve businesses of security obligations. Cloud security is a shared responsibility. Companies that don’t follow cloud security best practices put their data at risk, which brings us to our next infrastructure security strategy.
Create and Enforce IT Security Policies
IT infrastructure security starts at the top of the org chart. As KirkpatrickPrice Information Security Auditor Shannon Lane points out, “When building a foundation for a culture of compliance, you must start from the top.” The leadership team and senior executives must craft policies and implement organizational structures that support infrastructure security and compliance.
We explored this concept in more detail in How to Design Effective Security Compliance Programs. In essence, businesses who want to improve IT infrastructure security should:
- Create policies that set minimum security standards for IT infrastructure.
- Make executives, managers, and team members responsible for implementing those policies.
- Monitor and audit infrastructure security to ensure that policies are complied with.
The last of these points is particularly important. Without a feedback structure, an organization’s leadership is likely unaware of how security policies are implemented or if they are implemented at all.
Employ Cloud Security Experts to Verify Your Cloud Configurations
As we mentioned in this article’s introduction, cloud platforms like AWS and Microsoft Azure operate a shared responsibility model for security. They provide secure foundations but don’t prevent misconfigurations that may lead to security vulnerabilities.
For example, businesses can store sensitive data securely in AWS S3 buckets if access permissions are correctly configured. However, S3 users often accidentally expose sensitive data with permissive access permissions. We explored several AWS security vulnerabilities caused by human error in Do These 8 Vulnerabilities Affect Your Infrastructure’s AWS Security?
We recommend hiring a third-party cloud expert to verify your cloud configurations. A Remote Cloud Security Assessment reviews AWS, Azure, and Google Cloud configurations to identify potential vulnerabilities and provide actionable guidance to help businesses mitigate cloud infrastructure security risks.
Invest in Security Awareness Training for Employees
A lack of security awareness is often the root cause of cloud security vulnerabilities and data breaches. Managers and employees make mistakes when they are not aware of the risks and how to deploy and configure cloud infrastructure securely.
Security firm Kaspersky Lab recently revealed that most cloud security breaches are a consequence of social engineering, not technology failures. Bad actors use phishing attacks, executive impersonation techniques, and other forms of social engineering to gain access. These attacks target senior executives (whaling) and other employees with access to sensitive data.
Correct cloud security configurations and access controls are of limited help. Bad actors manipulate insiders with legitimate access to bypass security controls. Security awareness training helps employees to understand security risks and comply with security and privacy best practices.
Conduct Regular Cloud Security Audits
A cloud security audit is a comprehensive review of a business’s cloud security controls. Cloud security auditors analyze and report on controls for data, operating systems, networks, and access controls, among other relevant factors. An audit helps businesses to verify that their cloud security policies, configurations, and training are effective.
Audits have two primary benefits:
- An independent expert verifies cloud infrastructure security and highlights failings that may expose businesses to security and compliance risks.
- The business can demonstrate to customers and clients that it takes security seriously and complies with recognized industry standards.
Cloud security audits are based on the CIS benchmarks for AWS, Azure, and GCP. Businesses required to comply with other information security frameworks such as PCI DSS, HIPAA, and SOC 2 benefit from audits tailored to those frameworks.
KirkpatrickPrice is a licensed CPA firm that specializes in information security audits for regulatory frameworks and industry standards that include:
To learn more about AWS security, visit our AWS Cybersecurity Services, which offers an extensive library of actionable cloud security guidance.