For most IBM i shops, who are busy creating and maintaining the applications that run the business and who are not just chronically understaffed but structurally understaffed, the smartest thing they can do when it comes to security is give up.
You heard that right. They need to put their arms in the air and surrender, absolutely and completely.
No, we don’t mean they need to open all of the ports on their server, turn off the firewall, and let the ransomware and malware in and let the hackers and phishers do whatever they will. What we do mean by surrender, however, is that most IBM i shops have to stop thinking that they have the tools, much less the expertise to use them to properly, to secure their machines in this increasingly hostile IT world. They need to admit that they need to get help and they need to have security as a regular part of their IT budget.
With the average ransomware breach costing $4.6 million, and the downtime associated with recovering from such breaches being anywhere from days to weeks to never coming back – yes, we know of companies who have been literally knocked out of business by security breaches – security of the IBM i platform, and indeed any critical systems that interact with it, has to be a top priority. Arguably, the top priority, and starting now.
For many reasons, people are overwhelmed about security. They have certain things set up and they are working, so they are afraid to touch anything because they do not have the expertise to know the effect of any changes they might make to settings in the security within the IBM i operating system, in the Db2 for i database, or in the security perimeter – firewalls, intrusion detection systems, and so forth. Security may be the top concern, but in terms of its priority on the action list, it drops way down because people don’t know where to start in this new, more insecure computing, network, and Internet environment. People tend to do what they can do, and put off what they can’t do and hope for the best.
This is obviously not a healthy strategy, particularly when it comes to security. And we all know it.
But neither is trying to foment an environment of fear, which is what we are definitely not trying to do right here in this column. The truth is, vendors in the security space have been trying to scare customers for years, and it has not really worked as a means of getting them to act. We have had exit point security for the OS/400 and IBM i platform for over two decades now, and less than 10 percent of the base has employed this technology. This strategy doesn’t work.
So what can be done? We come back to the premise at the top of this column. Admit that you are over your head, and ask for help. There are experts who know exactly what to do in your particular situation, who can help you to secure your systems and – here is the important part – to work with you to keep them this way. And you need to just give up and let the experts handle it. You need to convince your company owner or president or board of directors that in the current environment, anyone can have a Target Moment, and given the exponential rise in hacker threats, the damages could be like those the retailer had after it had a data breach in late 2013, when 41 million credit card accounts and 110 million personal information accounts were stolen. Not only was this embarrassing to Target’s IT department and to its reputation as a Fortune 500 business, the company had to pay a $18.5 million class action lawsuit and also gave out a year’s worth of monitoring software. The total cost of the data breach up through the end of 2016 was $292 million, and chief executive officer Gregg Steinhafel had to step down. Some of those costs were covered by a cybersecurity insurance policy – and if you don’t have one of those, you should get one immediately – but some of them were not.
This is not fear mongering, just data. And if you don’t have security on your application exit points and if you don’t have security on the Integrated File System and if you don’t have cybersecurity insurance, then you know you need to get this done pronto. We know that IBM i shops are not afraid to spend a premium on a premium system, and they have to start thinking that they also need premium security – quite possibly as a service – as part of that system. You can be stingy on a lot of things – and IBM i customers are legendary for being frugal, believe us, we know – but security can no longer be one of them. Like other business critical software and services – high availability clustering is the obvious example – there are new security licensing models that are bringing the cost of security software down significantly. Fresche, who just acquired Trinity Guard and the TGSuite of security and compliance software just announced a subscription model.
So where do you start? There are free and minimal investment assessments that highlight areas of your system that could be at risk. Security isn’t something you do once. After an assessment, you will remediate and put safeguards in place. Even the largest, most sophisticated and secure IBM i shops in the world monitor and apply the least privileged access management – adjusting authority settings when they need to. That includes IBM i shops that have the tools from various vendors that can make this easier. But you can’t just use the tool once and set it and forget it. You have to be vigilant and constantly monitor and manage security.
And here is a very important point that needs to be stressed. Just because you are compliant with various security regulations – GDPR, SOX, JSOX, PCI-DSS, HIPAA, the alphabet soup bowl just keeps getting bigger and bigger – does not mean that your system and its applications and data are secure. Just because your auditors say that your systems are compliant with regulations does not mean your systems are secure.
I recommend that companies start with an assessment to figure out where they are at, identify potential threats and build a plan to deal with it that starts with the areas that you can remediate right away. A breach or a hack is extremely unsettling and there are so many steps that need to happen to give your situation the best possible outcome. This is where an expert like Fresche can make the difference.
Getting help from the experts lets you focus on the business and gives you peace of mind knowing that your business-critical systems and data are in good hands – and sleep at night so you can get up and do it again tomorrow.
We're also hosting a special session to explore where to start and how to configure defenses on your IBM i system, you can sign up
Additionally, here is an on-demand session that can help you understand where to start and how to configure defenses on your IBM i.