IT security is an on-going process that needs to evolve constantly in order to remain focussed on the latest threats. It is essential to establish a viable IT security management system covering all eventualities. In this context industry already has recourse to established frameworks such as ISO 2700x, BSI Baseline Protection and VdS 10000. The latter framework explicitly addresses SMEs, which have so far been unwilling to establish expensive information security management systems (ISMS) in accordance with ISO 27001 or BSI Baseline Protection.

The technical implementation of IT security measures should be carried out in clearly defined phases in order to achieve an appropriate level of protection as quickly as possible. In my view the following technical steps are absolutely essential:

Get to know your entire IT infrastructure. In other words, comprehensive asset management is mandatory.

Before implementing technical security measures you should have a detailed overview of all your IT assets. This should encompass all devices with an IP address, all non-network-enabled devices and components, as well as the current software status of your applications inventory. In my opinion this is the only way to ensure that the appropriate measures can be taken on the affected assets at the right time.

First of all protect those assets which are exposed to the greatest risk. Put simply, the Internet is evil.

Start by implementing technical protection measures in those systems, services and applications that are directly exposed to the Internet. A key priority is to safeguard internal networks – e.g. via updated firewalls at a network level and (just as important) at an application level. As a result, external access via the Internet is permitted only to authorized services. Legitimate external access (branch office, home office, mobile devices) must be routed via an encrypted Virtual Private Network (VPN). It is equally important to protect systems which can receive content via the Internet. Modern endpoint security concepts must then be applied.

An attack can only be prevented or countered if it is detected promptly. Put simply, you should log as much as possible.

I recommend a central log management which records the events of all the connected systems and applications in real time. This central resource then allows various evaluations and correlations of the data. Providers of Security Informa-tion and Event Management (SIEM) systems can analyze the enormous flood of data and generate corresponding alarms according to a configured set of rules.

Don’t forget the human factor. Awareness is absolutely essential.

Every employee who works with IT assets in a company should be regularly and sustainably exposed to appropriate awareness campaigns in order to be fully conscious of the potential dangers of his or her actions. The human factor cannot be adequately controlled by a technical security measure. Therefore there is no alternative to these training measures.

In addition to the issues outlined above, the following factors play an essential role in maintaining IT security: multi-level data encryption; mature and tested backup concepts, technical implementation of the need-to-know principle, and regular security checks by IT security experts. Finally, it is of utmost importance to start taking action.