Let’s face it. Cybersecurity is hard. Between keeping the lights on and the mountain of IT projects, it is tough to stay in the know with current threats. It is common to see organizations attempting to throw software at the problem to stay informed and mitigate risk. However, this approach creates additional challenges. The software requires care and feeding and can produce large amounts of data that someone needs to review and act on. Before long, the software that was supposed to be the answer is just another piece of the enterprise that is getting little attention and presents risks since no one is updating it. While software solutions play a prominent role in understanding your threats and vulnerabilities, organizations should not discount the effectiveness of the basics.
When working with organizations, the three main focus areas are People, Processes, and Technology. Organizations that invest in these three areas typically have an effective defense against cyber threats and are on their way to maturing their cybersecurity programs.
People:
People play a large part in an organization’s cybersecurity defenses. Your employees can be your best defense or your biggest weakness. Cybercriminals are looking for the path of least resistance; usually, people are the most straightforward way into an environment. Implementing a solid training program for your employees is a low-cost way to ensure cybersecurity is top of mind at every level. Look for ways to implement training regularly throughout the year and create a security culture. In addition, the training that employees receive on the job will often help them stay safe at home.
Process:
Processes within an organization ensure everyone is working with the same set of guidelines. Unfortunately, we often encounter organizations with little documentation on the simplest of tasks. Take user on/off-boarding, for example. How many user accounts are still enabled, with the same password in your environment, and the user has been gone over a year? None, you think, but the reality is we encounter this scenario all the time and not just for one or two accounts. A user moved on, and no one notified IT. Documenting processes like this ensures that essential IT functions do not slip through the cracks. This is just one example, but organizations should take a hard look at their internal policy and procedures and, at a minimum, have an Incident Response Plan, Disaster Recovery Plan, and Business Continuity Plan reviewed regularly and practiced yearly.
Technology:
Technology in terms of cybersecurity is more than what is implemented to protect the environment. Don’t get me wrong, having a firewall implemented and configured correctly is critical, but the attack vector shifts if you are not regularly patching your systems. Organizations are typically good at pushing Microsoft patches; that’s easy. However, software updates and operating system upgrades are a different story. How many Windows 2008, 2003, or Windows 7 machines are running in your environment? Each machine presents a risk and attack vector. Every known vulnerability since the end of support is available to an attacker. Therefore, organizations should consider upgrades as soon as a system is implemented. I often encounter organizations that utilize software and hardware well past their intended end of life. At some point, IT Administrators simply do not want to touch them for fear of breaking something.
In short, cybersecurity is more than any one piece of software or hardware. Organizations should take a layered approach to cybersecurity and think about solutions in terms of a program. Simply having good cyber hygiene goes a long way in limiting overall risk and attack footprint. By training your people, documenting your processes and procedures, and putting the right technology in place for your organization, you are well on your way to an effective cybersecurity program.
If you are looking for a place to start, we can help.
Chad Robinson is the VP of Advisory and CISO at Secure Cyber Defense in Moraine, OH. In his role, Chad works closely with organizations to develop and mature cybersecurity programs.