Preventative IT support is a growing field that offers companies ways to safeguard technology, processes, and employees from attacks on a firm’s information infrastructure.
The reason that preventative IT support is preferred is based on the fact that the cost of preparation upstream is much less than having a problem occur later.
Over the past decade, large firms have gone from focusing solely on adding services to protect technology to a combined approach that helps develop practices in all three areas.
The need is apparent. It was only a few years ago that a government agency in the UK noticed a USB stick in the parking lot of one of their high security buildings managed by a defense contractor. The USB stick contained a lot of what would be considered top-secret information. The contractor was not fired, but they certainly gained new religious beliefs that included moving all of their client’s servers into remotely-controlled facilities that humans were not allowed in.
Airgapping, which is removing people or networks from direct contact with a computing device, is therefore one way to remove a potential threat.
Other techniques that are typically used by preventative IT support specialists are to audit processes and implement ITIL, which is a set of IT processes that were developed in Europe to help ensure stronger process decision-making with regard to security and ethics.
When it comes to people, one of the largest threats to security is social engineering.
Everyone knows the story of the London hospital nurse who committed suicide after mistakenly passing on a phone call from some radio disc jockeys who wanted to get personal medical information about Prince William’s wife during her stay there. Both the nurse and the hospital were victims of social engineering.
Preventative IT support specialists can train your staff regarding social engineering attempts and help them to setup processes that will help blunt social engineering attempts. Their efforts can shore up your staff’s behaviors as they transact business.
One method of stopping social engineering is to raise awareness within your firm by training and then auditing the staff. For example, employees should know the e-mail policies so they are not tricked by phishing or virus attacks. Clicking on an e-mail from an unknown sender that appears suspicious or has an attachment that got through the firewall seems like it would not often occur. On the other hand, without training, it has been shown that the percentage of employees in firms that do click on such messages is higher than it would be had they been trained. The same is true for employees that use the phone. Training and auditing has been confirmed to decrease the number of employees in organizations that will hand out their password if a fictitious IT person calls them and uses social engineering to solicit it.
Another way to combat it is to educate executives about the whole range of social engineering exploits in order to drive individual company change from the top down. One Irish company is noted for doing this by arranging data breach forums for executives and by executives at Irish consulates overseas.