Basic IT protection: Modular security for companies

Sep 20, 2021

Every company that operates an IT network needs a concept for basic IT protection.

Since, strictly speaking, every PC connected to the Internet via a router already constitutes such a network, the formula can be shortened to generalize: IT-Grundschutz is important for every company. Of course, the necessary measures depend on the complexity of one's own IT infrastructure. In the simplest application, the operating system, which is kept up to date, in conjunction with regular backups, can already fulfill the requirements for IT protection.

The German Federal Office for Information Security (BSI) provides valuable information on this in its current IT-Grundschutz-Kompendium. The 800-page work has a modular structure. This means that anyone responsible can pick out the IT security measures that are right for their area. In fact, it covers almost all conceivable threats to corporate data security. It also refers to the BSI's detailed basic IT protection catalogs.

Basic IT protection for companies: Legal obligations

Germany and the European Union are not suspected of imposing too few rules and regulations on companies. Accordingly, several standards exist from which obligations for IT protection and liability claims arise.

- GDPR: The General Data Protection Regulation primarily regulates the handling of personal data. The best-known impact is probably the need for explicit consent from data subjects to store their data. Article 25 of the GDPR in particular also imposes obligations on companies to actively ensure the protection of processed personal data.

- GmbHG: Section 43 of the German Limited Liability Companies Act (Gesetz betreffend die Gesellschaften mit beschränkter Haftung, GmbHG) provides for the possibility of personal liability on the part of the managing director if his or her duties have been violated. Claims could therefore be derived at least in the case of negligently caused circumstances that run counter to basic IT protection for companies.

- German Stock Corporation Act (AktG): Pursuant to Section 93I of the German Stock Corporation Act (AktG), members of the management boards of stock corporations are subject to a special duty of care. This also includes safeguarding the IT infrastructure.

- Product liability: General product liability naturally also applies to manufacturers of hardware and software. Claims for damages can be asserted under both the German Civil Code (BGB) and the Product Liability Act (ProdHaftG).

Strong protection for personal data is undoubtedly justified in this day and age. Every IT security incident involving an outflow of data potentially causes uncontrollable damage to the interests of those affected. No one wants their personal data or company internals to circulate in hacker forums. But the goal of ensuring the availability of important data so as not to jeopardize business processes should not be lost sight of when it comes to basic IT protection for companies.

IT security incident due to elementary threats

The basic protection compendium logically starts at a very low level. It looks at possible elementary damage such as:

  • Water damage, fire and natural disasters
  • Failure of power, communications and utility networks
  • Theft, accidental loss
  • Espionage, sabotage and hacker attacks of various kinds
  • Unauthorized access by own employees
  • Malfunctions of hardware and software

The aim here is to raise awareness of a wide variety of threats. For example, a backup that is not stored in a separate location may be useless in the event of fire or water damage. Due to the various scenarios, it should become clear in particular that a package of measures is usually necessary to form a comprehensive basic IT protection for companies and to take precautions for every IT security incident.

IT security measures: The process building blocks

This section of the Basic Protection Compendium is dedicated to the organizational optimization of IT security measures.

- ISMS - information security management: The key point here is that companies should consciously design a concept for IT protection. A suitable security officer must be appointed and given the necessary rights. If possible, this person should be assigned to the management. The objectives and IT security measures should be set down in writing if possible. A regular review of the IT protection concept is also essential.

- Organization and personnel: Very often, employees are responsible for an IT security incident. Unintentional operating errors can be the cause. Particularly in the case of cyber attacks, criminals now try to put employees under pressure or mislead them by means of so-called "social hacking". The aim is for people to deliberately undermine IT security measures in the good faith that this is necessary, for example, due to an emergency situation. Accordingly, the BSI recommends, among other things, training and sensitizing employees. In addition, it makes sense to have written work instructions and familiarization concepts. But the rarer case of deliberate misconduct by a company's own employees should also be taken into account when considering basic IT protection for companies. Security checks in advance and regular controls can provide a remedy. Authorization management for access to sensitive data is also important. In general, IT protection should be part of every company's compliance.

- Concepts and procedures: This module describes the implementation of specific IT security measures. For example, the BSI recommends encryption of communication connections. It also contains practical tips for key and certificate management. For example, a separate key should be generated for each application. Data protection is also part of basic IT protection for companies. A data backup concept is also essential. This should describe the type and scope of backups and deal with storage media and storage. Further content includes the secure deletion of data media and information security on international trips.

- Operations: This section contains instructions for secure IT operations. It deals, for example, with the activities of the IT administrator, who usually has very extensive rights in the internal network. Therefore, for example, a deputy arrangement is essential. However, provisions should also be made for the event that an administrator leaves the company. In that case, it must be possible to securely revoke his or her access to the network. In particular, clean documentation of activities is useful. One of the most important elements is the regular updating of systems. Here, for example, the prompt import, a check of packages and documentation are recommended. Other IT security measures described include protection against malware, logging in the network and software tests. For security-relevant applications, the BSI recommends regular penetration tests. Also included are tips for setting up home office workstations, general remote access to the company network, and outsourcing services.

-Detection and response: The qualification of IT staff and users is essential for the detection of security incidents. After an IT security incident, it is important to have defined reporting channels and emergency measures, such as disconnecting network connections. Of course, technical warning systems for intrusion detection should be used to protect the network. But a concept also includes planning for network recovery after an IT security incident and, if possible, establishing evidence of a cyber attack. The BSI recommends regular audits and reviews for this branch in IT-Grundschutz for enterprises.

Basic IT protection for enterprises: The system building blocks

Within the system building blocks, the compendium's authors provide very specific guidance on how to protect IT by securing specific applications and operating systems.

Applications: In this building block, for example, measures are given for securing Office software. This includes deactivating active content to protect against macro viruses. It also includes the recommendation to store important data only in encrypted form. Other topics covered include securing web browsers and mobile apps. The section also contains detailed advice for server services. This applies, for example, to directory services, web servers and file servers. Also included are instructions for securing databases and mail services such as Microsoft Outlook and Exchange.

IT systems: The section deals in detail with different computer systems from servers to desktop PCs to mobile devices. The tips cover logging options on different systems. It also covers recommended services and settings such as those for automatic updating of systems. The authors also point out the dangers of using preset functions. These include unintentional synchronization of user data with cloud storage and the possible unintentional storage of Bitlocker keys in the Microsoft online user account.

Industrial IT: Information technology in production facilities usually has a key function for companies. Thus, the entire production process can come to a standstill in the event of an IT security incident. The BSI provides recommendations for IT security measures to differentiate this area from general IT, for example to better protect this sensitive area in the event of a cyber attack. Tips are also given for hardening systems through a variety of measures. These include shutting down unnecessary services and using secure protocols.

Networks and communications: Data exchange and communications are of paramount importance to a company and must be given special attention in basic IT protection for enterprises. This is because both areas pose the greatest risks for the intrusion of malicious software or unauthorized access. For this, the BSI recommends clean documentation of the company network. Separating networks into different areas can increase IT protection. Access from outside must be specially secured, for example by firewalls or VPN software. The BSI also points out the central importance of routers and switches. Ports should be protected against unauthorized access and the devices should be included in the company's update strategy. The same applies to conventional telecommunications systems (TC).

Infrastructure: Basic IT protection for companies may require the adaptation of spatial conditions. Server rooms should be specially secured, for example, with access protection. It is also advisable to plan for precautions such as fire protection measures. Likewise, protection against surges caused by lightning strikes and an uninterruptible power supply (UPS) for particularly sensitive devices. But even in normal workplaces, there may be room for optimization. This can concern cabling, but also the theft protection of equipment. IT security measures for home offices and mobile workplaces are also included.

IT protection as a permanent task for companies

Basic IT protection for companies is a necessity. Legal requirements should not be the only impetus to take precautions for an IT security incident. The ability of most companies to function and act is directly related to intact information technology. Corresponding concepts should therefore be regularly revised and scrutinized. External service providers who put a company network through its paces with a penetration test and thus increase IT protection can also help.

Blog

9 months ago

How can Adey Meselesh contribute to the UN SDGs?

Adey Meselesh's integration of ESG principles into its ERP system demonstrates its commitment to responsible business practices and sustainable development.

a year ago

Supply Chain Act - a use case for smart contract and blockchain

The Supply Chain Act comes into force at the beginning of 2023 and obliges large companies to document their production chains. Smart contracts and blockchain technology are one way to implement it.

2 years ago

Network Security - The 10-point plan for your IT

Any weak point in your own IT infrastructure can become a point of attack for a cyber attack with unforeseeable consequences. We therefore offer our Network Security Assessment especially for SMEs without their own IT security department.