With today's emphasis on information collection, processing, and usage, Nearly every organization today has to collect, process, and use data for its daily activities, strategic planning, and administration. Considering how heavily dependent organizations are on their information infrastructures, protecting that infrastructure is critical.
As much as we would like to, the systems cannot just be locked away behind thick walls because employees need to be able to generate, store, and transmit data. And that data must be secured against unwanted intruders. Depending on the organization, the systems may be accessed by mobile devices, many of which are privately owned by employees and contractors, which poses another challenge.
To effectively support and protect the information infrastructure, security personnel must be aware of various types of attackers. They include rapidly changing and increasingly severe threats from outside hackers, disgruntled insiders, well-funded professionals, and highly organized groups. Their nefarious goals vary, and may include manipulating funds within a bank, corrupting a competitor's computerized production line, disrupting control systems for environmentally sensitive materials, destroying data and hardware, or worse.
Protection doesn’t mean just deploying defensive security measures, but also accurately assessing the need for protection, thoroughly recognizing its vulnerabilities, and understanding the primary sources of threats.
Infrastructure protection can be broken down into two separate agendas: making the business case for investing in infrastructure protection, and implementing projects for survivability and recovery.
Making the Business Case for Infrastructure Protection
Failure to secure and protect information infrastructure can be extremely costly. There is the cost of lost or damaged equipment, but also the potentially far larger cost of lost or compromised data. Damage can lead to loss of revenue, loss of reputation, and long-lasting loss of market share and customer base.
Perception plays a major role in recognizing these dangers and authorizing appropriate action. For example, immediately after a serious compromise or loss, management may want to spend heavily on certain security measures to prevent a repeat incident. However, that appetite for spending may dry up if there are no attacks shortly afterwards.
Implementing Projects for Survivability and Recovery
Once a budget has been established, survivability and recovery from an attack become critical. The goal is to keep the organization functioning as effectively as possible in the immediate and long-term aftermath of damage. Survivability begins with detection and defense against the most likely attacks, but it’s necessary to create processes and procedures for quick recovery.
These efforts tend to involve backups not only of necessary data, but necessary hardware so data can continue to be gathered, processed, and delivered where it needs to go. To ensure these survivability and recovery measures are realistic, it's important to run simulations and drills of varying kinds. Such drills should give both personnel and systems full-load tests, so they can stand ready to function in the event of a real attack.
No one can accurately predict how much infrastructure protection is enough to deter attacks, since it's almost impossible to determine where the threats will come from.
It's daunting to analyze the value and return on investments in information infrastructure protection and compare them against other organization investments. But with organizations depending so heavily on its information infrastructure, protecting it is paramount.