How IT Security Can Be Improved Within a Company
Information Security
Hacker attacks targeting companies of all sizes. At the same time: digitalization in all areas of life. Cybercrime increasingly affecting individuals. AI writing malicious code. And so on...
Keeping information and data secure has become a critical success factor for most companies. It's also common sense that this can be achieved by implementing basic security measures such as access controls, data backups, and network security—just to name the typical technical approaches. In addition, there are a range of organizational measures focused on workflows and employee behavior. This quickly creates the impression: no security without extreme effort! And that discourages many companies that are efficiency-driven and cannot—or do not want to—afford much overhead in their operations.
The good news is that it’s not always the big things that make the difference: even small steps like regularly changing passwords, checking access rights, or training employees can help increase security.
In this blog post, we’ll highlight a few basic measures that can help improve a company's IT security.
Technology, People, and the Little Things
In technical terms, information security encompasses everything that protects the integrity, confidentiality, and availability of critical data and systems. Let’s start with a few technical aspects:
One of the most important measures to improve IT security is the implementation of access controls. This means that only authorized individuals can access certain data and systems. This can be achieved through the use of user accounts and passwords, as well as two-factor authentication. Naturally, especially in organizations that maintain external contacts with suppliers or customers, access rights should be reviewed regularly, and account deletion must be a mandatory part of the offboarding process. Of course, this also requires the right infrastructure—such as centralized user management and other tools.
Another key measure is data backup. This involves regularly creating backup copies of critical data and systems to enable recovery in case of data loss. Cloud-based backup solutions can be used for this—depending on the data volume, appropriate bandwidth will be needed—or external hard drives. It's also important to protect the backups themselves from encryption or physical damage by storing them separately from the main data systems. One practical tip from our own experience: especially with complex systems, you should not only perform backups (both incremental and full), but also regularly test and document the restore process.
Another important topic is network security. In larger networks, this includes proper network segmentation, as well as the use of firewalls and virtual private networks (VPNs) to prevent unauthorized access to the company network. Integrated solutions—such as those from Palo Alto—often come with features to detect and intercept attack patterns, anomalies, and malware directly.
The Human Factor
The human factor plays a crucial role in information security—it is both the greatest weakness and the greatest strength in the system. In other words: the best technology can be undermined by people, while flawed technology can sometimes be compensated for—at least in part—by human intervention.
It is therefore essential that companies educate their employees about the importance of information security and encourage them to adopt security-conscious behavior—even if it comes at the cost of flexibility, convenience, and speed.
One way to promote secure behavior is to conduct regular training sessions and workshops. These can help employees become more aware of information security threats and understand how to protect themselves against them.
It’s also important that companies encourage employees to report suspicious activity or potential security issues. This allows problems to be identified and addressed early. One example from our own practice: we operate several computers outside our corporate network where we can analyze suspicious attachments or other content. Every employee can quickly and easily forward suspicious material to our system administrators.
Additionally, it's important that employees practice secure behavior in their personal lives as well—especially in times of home office and bring-your-own-device policies, where the boundaries between work and private life often blur.
In summary: the human factor is a hugely important aspect of information security. By educating and raising awareness among employees, companies can encourage security-conscious behavior and significantly reduce the risk of attacks.
Systematic Security:
What Are ISMS and ISO 27001?
An Information Security Management System (ISMS) is used to organize and manage information security within a company. It follows a process-based approach and includes identifying, assessing, treating, and monitoring risks to information security. Implementing an ISMS enables a company to manage the topic of “information security” in a systematic and proactive way.
The standard ISO/IEC 27001 is an international standard for information security management systems (ISMS). It defines the requirements for establishing, implementing, maintaining, and continuously improving an ISMS. ISO 27001 certification confirms that a company meets the standard’s requirements and has implemented an effective ISMS.
The Benefits for the Company
At Kittelberger, we decided several years ago to implement an ISMS—and since early 2020, we have been ISO 27001 certified.
From our perspective: a right and important step. But also: an ongoing effort, never truly finished. It’s a continuous process—and something that helps move an organization forward. Because many things are automatically documented, and because many expectations are not only assumed, but clearly defined. If done properly, the system gains acceptance simply because information becomes easier to find.