The CyberSecurity 5.
Shhh. If you aren’t 100% on these 5 things. Don’t let anyone know.
I was recently asked to speak to a group of banking CEO’s about Cybersecurity. The ask was easy. Equifax’s breach was still on the front pages. Everyone wanted to know how to prevent it from happening to them.
So, I pulled out my tried and true list of Cybersecurity’s top 10, David Letterman style. Then, a curveball came my way. The moderator liked the idea but said that there was an attention span of only 5 things.
5 things that everyone should do about Cybersecurity.
That was a tough ask. The reality of Cybersecurity in 2018 is that its complexity has reached a tipping point. Buying a firewall and turning on antivirus has morphed into an ecosystem.
The new ecosystem is monitored for normal vs. abnormal. Abnormal demands investigation. Abnormal can mean a malicious intruder poking around building towards a breach. Abnormal can mean an employee putting a whole organization at risk through intended or unintended behavior.
Challenge Accepted.
The reality proved in breach after breach is that most of the world is not taking care of cybersecurity proactively. So, what will put your organization ahead of the masses? Meaning, top 20%. Roll music. And #5…
5. Everything up to date. No desktops older than Windows 7. No servers older than Server 2008 R2. No network devices not under active vendor service contract. No exceptions.
All technology is inherently insecure. We simply haven’t discovered all the ways it can be manipulated until it happens. It matters not to have supported operating systems and devices if you don’t keep them up to date. You have 21 days to get your systems patched after a new security release. Do that, and you are ahead of 80%.
4. Know your data. If you don’t know where the data is that is desirable to outsiders, then you can’t protect it. Some of it is on your servers. Some of it is on your pc’s. More of it, than you know is in the cloud somewhere.
Find it. Make an inventory. Then for each item, be able to list how you have protected it. Keep it simple. Firewall protects the server. Email security protects the email. Content filtering protects the from unauthorized web traffic. And so on. It isn’t hard and it isn’t technical. When you find a gap. Fix it.
3. Qualify your vendors. If you know where you data is, the next question is, “are your vendors qualified to protect it for you as they serve you?” If you think that you could tell your customer or member that you didn’t lose their identity, the vendor did it. Forget it. It is your reputation to lose. End of story.
If you aren’t sure what to look for in a vendor there are many ways that auditors provide to quantify it. Terms like PCI, SOC-2, SOC-3, and many others will help you avoid getting mired in the details. Marry a checklist of qualifications to the list of vendors from the “Know your data” step and you’ll be set. Then, like Santa, don’t forget to check that list once a year, because some will be naughty and some will be nice.
2. Test. With all the complexity it is a safe bet that something is configured wrong. The only way to know is test. Test yourself, before the real world of hackers and intruders test you. Expect to find gaps. That is the point!
There are three basic ways to test your security. Vulnerability scans use tools programmed with all the latest hacks to see if they will work on your network. Penetration tests add a human element to available tools to find a way in. Lastly, social engineering test like phishing will test your staff (currently the source 55% of successful breaches).
And, Mr. Letterman, the Number 1 thing you can do to stay ahead of 80% of your peers?
1. Training. It seems obvious, but training must be number 1. For all the attacks we can’t predict… For all of the inexperienced users we will hire… For all of the times when something just looks off… Each of these items is most efficiently and best recognized by the people who know your company best. Your staff.
Your staff has a vested interest in keeping your organization secure. But they weren’t born with the tools, you must provide them. Train all users as part of onboarding. It makes a statement about how serious your organization is about cybersecurity. Then keep it up. Quartery is best but at least twice a year. Don’t expect miracles. Build it into the system. Training is your obligation.
So that’s it. 5 things for you to be doing about cybersecurity to keep your organization in the top 20%. Said another way, 80% of the organizations out there make and easier target than you.
Let’s get to it.
