A recent OTRS Group survey of IT professionals revealed that the majority of them encounter at least one IT security incident a week. Experts are working hard on security measures to minimize critical incidents and to comply with the GDPR and other data protection initiatives worldwide. Yet the number of security incidents is still alarmingly high.
Yet, an attack on public institutions can have devastating consequences. In this case, not only customer data, but also the private data of countless citizens could be affected.
Current incidents show high security risks for public institutions
What is the security situation in authorities and public institutions? Can security breaches possibly have a much greater impact here and affect even more people? Recently there was a security incident at the city of Frankfurt am Main, Germany. The city’s security professionals were forced to shut down city servers: The Internet pages had to remain inactive for a long period of time. This was similar to what happened at the University of Giessen, which was offline for days when a malware program paralyzed its systems.
Experts criticize that IT security in the public sector is still neglected. Projects are badly budgeted or are considered complete as soon as an anti-malware solution is deployed. Yet, an attack on public institutions can have devastating consequences. In this case, not only customer data, but also the private data of countless citizens could be affected.
For KRITIS tightened security measures apply
For this reason, the state and administration are classified as critical infrastructures (KRITIS). Critical infrastructures are organizations or institutions of major importance to the statewide community, the failure of which would result in supply bottlenecks, serious disruptions to public security or other dramatic consequences. They also include energy, telecommunications, transport, health, water, food, finance and insurance, media and culture. Stricter security measures apply to these areas.
Recommendation: Risk management should consist of five phases
Risk and crisis management for the protection of critical infrastructure should be well thought through and should consist of five phases:
Phase 1: Preliminary planning for the establishment of a crisis management plan
Basic decisions should be made in advance of the establishment or expansion of risk and crisis management plans. These include:
- acknowledgement of risk and crisis management as a critical need by the management of an institution,
- acceptance of the approach,
- definition of responsibilities,
- the provision of resources to establish plan requirements, and
- the definition of strategic objectives that will protect the facility.
An ISMS (Information Security Management System) such as CONTROL can be very helpful when planning for crisis management. It provides continuous, transparent and audit-proof documentation of structured processes in accordance with ISO/IEC 27001. The time savings of using a well-structured ISMS can reach 30-40 percent.
Phase 2: Risk analysis
The second phase, risk analysis, is about identifying potential risks to institutions. It should be possible to answer the following questions:
- What types of dangers can occur?
- What is the probability that these hazards will occur at the facility’s sites?
- What makes the facility vulnerable to hazards?
- What damage can be expected if different hazards occur?
- What are the consequences for the functioning of the facility if processes fail due to the hazard?
In the third phase, preventive measures that will reduce risks should be identified.
Phase 3: Description of risk prevention measures
In the third phase, preventive measures that will reduce risks should be identified. It is useful to carry out a cost-benefit analysis regarding the identified preventive measures.
Phase 4: Establishing a crisis management plan
Crisis management planning offers a structure for coping with crises that cannot be prevented despite prevention efforts.
The most important tasks of crisis management are:
- creating the best conceptual, organizational and procedural conditions to optimally manage crises when they arise, and
- establishing specific structures to respond when a crisis occurs. A specific example being the establishment of a rapid response team.
For phases three and four, a solution like STORM, which manages security processes to ensure an effective response to attacks and enables the exchange of security-relevant information, is very useful.
Phase 5: Regular evaluation
The evaluation covers all phases and should be carried out regularly, preferably annually.
I urgently recommend that public institutions, such as government authorities that have critical infrastructures, give consideration to their security strategies. By following these five phases, they should be well prepared for 2020. An example of this construct in practice can be seen in the documentation of the United States Department of Homeland Security Cybersecurity Strategy.
If you have any further questions or advice on the subject of security, or about using CONTROL and STORM, I will be happy to answer them personally.