Sharon Smith

By Sharon Smith

Back to Basics

150 150 Sharon Smith

In the spirit of the recent Super Bowl, let me ask you this: Do you think the Patriots or Eagles would have made it it to the big game if coaches Bill Belichick or Doug Pederson didn’t focus on the basics first? How about legendary coach Vince Lombardi who after losing to Philadelphia in the 1961 Championship game (before there was a Super Bowl) started the next season holding up a football and saying “this is a football” then continued to work on the basics of blocking and tackling for the rest of training camp. His team won the Championship title six months later.

Whether you in pro sports or cybersecurity, getting back to basics is essential. However in modern times, organizations seem so focused on new technology or cutting costs and have forgotten about the cybersecurity basics.

When talking about cybersecurity basics we are talking about three things: People, Processes, and Technology.

We start with people because people are your first line of defense against a cybersecurity incident and as security professionals knows they are unfortunately your weakest link. They are your first line of defense because they can see anomalous behavior and activity, and they are your weakest link because they often don’t know what they are looking for.

Ransomware payouts of 5 billion dollar were made in 2017 with predictions for 11.5 billion by 2019. This attack is often successful because an innocent user clicks on the wrong link in an email or visits the wrong website.

This means that getting back to basics with people is all about good, consistent, and frequent security awareness training. Letting your workforce know that they are the front line defense against a cyber attack will peak their interest, they will want to learn more. Reminding them of their role and providing them with the knowledge they need to do something about it is the key in getting back to basics.

Make sure they know what to look for, what to do or not do on their computers, and how to report anything suspicious. Reward them for staying on top of security, give them some skin in the game (no pun intended.)

When you rely on that one annual security awareness computer course each year you are missing out on the basics. Your entire team needs regular training if they are going to be sharp on game day, which is everyday in the defense against the cyber attacker. And don’t forget that your employees who do have a job description that includes security need additional and ongoing training above and beyond what everyone else is getting.

We now move to processes because this is what people do daily for their jobs. It’s the process that gets data from point A to point B and the process can be manual or automated.

So what do processes have to do with cybersecurity? Processes are typically created by users who are trying to make their jobs easier (that’s fair) and have not given thought to security, which makes sense since it’s not what they are trained to do. However in creating those processes they don’t realize that they are creating security risks.

The solution is providing the business user with the knowledge that while they own their process they also have a responsibility for ensuring the processes is secure. That means providing a way for them determine easily if their new idea needs to be run by a security expert before implementing. Basically the players here (your users) need a coach (security expert) to run the play by before they run it on the field during the big game.

Last, but not least is technology and while many people think that technology should come first in protecting data it actually comes last. More on that in Security is Not an IT Problem.

This is about to get more technical and if you are a non-technical executive I implore you to read it and then talk with your technical advisors to determine how your team is doing on the technology basics.

From a technology perspective getting back to basics means ignoring all the new flashy technology on the market today. IT decision makers are inundated with fancy names, and terminology like cloud, artificial intelligence, threat modeling, next generation, ransomware, zero day, phishing, data loss prevention, and much more. This can divert their attention towards the new technology and away from the basics.

Patching is as basic as it comes for technology and something that has been around as long as there have been computers. However it is still not applied consistently within organizations and has been pointed to as the cause (there is never just one cause) for the Equifax breach. Only two months behind in applying the patch doesn’t seem like a big deal until it becomes one of the key reasons you lose 143 million customer records.

Back the football analogy when you know there is a patch available and you don’t apply it is like the coach and players knowing there is a hole in their defense, they know the quarterback can run right through it for the touchdown and yet they don’t make any change to fix the play.

There are many other basics when it comes to technology like password controls, user access controls, encryption, firewalls, and anti-malware software to name a few. None of these are new, they all have had technology to support them for a very long time and yet many organizations are not focusing on these basics. They allow users to have the same password for years, they don’t control the access levels that users have and often allow administrative access to non-administrative users, they don’t encrypt sensitive day, they have wide open firewalls, and they don’t install anti-malware consistently.

I warned you, that last section might have been Greek to you and that’s OK because you don’t have to know what it means, all you have to do is have someone in your organization or a trusted advisor you can consult with to ensure the basics are covered before you start purchasing all the new wizbang technology.

Start with the basics; people, processes, and technology, and build from there because you can have all the fancy technology in the world, but if you are not covering the basics you are still wide open to the offensive team making play after play. In other words you are allowing the hackers to come in and take whatever they want.

If you have questions about the basics email sharon@c-suiteresults.com. If you don’t have a security team and want more information on how Virtual CISO services work, which are designed to help small and medium size organizations maintain their security and compliance posture reach out so we can talk in more detail.

Share This