At the risk of alienating myself from my cyber and information security peers, I want to give you a glimpse into the mind of a ‘security guy.’ This article may lead to a better understanding and adoption of security initiatives within your organization. This will also provide some insider information regarding the nefarious Security Team.
First and foremost, my mantra in meetings, conversations, planning, and even some dreams is Business Need Only. When it comes to access levels, functionality, reviews, or any plethora of decisions that need to be made by an organization, the risk is immediately minimized by only allowing that which is necessary for a valid business function.
Case in point: In 2019, Symantec reported that 65% of attack groups used phishing as the primary source to breach or infect organizations. By default, many organizations grant their users emails because that is how we communicate with the world. Do all users need email internally? Probably. Do all users need the ability to send and receive emails externally? I hope not, so restrict that ability and lower your risk.
Always ask yourself, “What is the business need?” The attack surface shrinks drastically by minimizing the interaction users with production access have with the outside world or the level of account privilege a person has. This applies to all facets of information technology and security realms—application access, internet browsing, local and network access, email, and so on. We are not mean (most of the time), we are trying to protect the company.
My second mantra, explicitly reserved for my security teammates, is Optimism Bias Leads to False Confidence. It is also fun to say and makes you sound smart. Try it out.
People inherently believe their desired outcome will happen as a matter of course. Sure bad things happen, but they happen to other people. This is Optimism Bias. Most security-focused personnel (should) maintain a healthy level of paranoia, anxiety, and panic at all times. Why? Because the bad people are out there, and they are trying to get us.
Do not, whatever you do, believe common misconceptions and fall into an optimistic comfort zone. If you do hear them, especially from security personnel, challenge them. The misconceptions I hear most often are:
- We are too small for a cyber-attack, or nothing I have access to is worth stealing.
Fact: Anyone with access to a computer, network, or private information is a target. Most campaigns and attacks are targeting you for a small piece of a giant puzzle. It is not necessarily what is on an individual’s system, but that system is connected to authentication servers, email servers, file repositories, and third party interfaces to name a few.
Hackers target whatever they can whenever possible, whether it is to steal data, hold it hostage for ransom, or wreak havoc.
- We are good. We have an anti-virus [or] a firewall.
Fact: No single solution will keep you safe from all the various forms of cyber-attacks. For example, anti-virus is generally used as the first line of defense and should be complemented with a combination of other defensive environmental and computer-based options.
It should be noted, if you do say, “We’re good. We got anti-virus,” aloud in a quiet setting, you will be able to hear maniacal laughter in the distance.
- Threats only come from the outside.
Fact: The vast majority of security incidents and breaches are a result of an action performed by someone on the inside. These attacks could be intentional from a disgruntled employee, or accidental from an untrained or unaware employee.
The solution is combatted in two parts. First, by limiting access and functionality based on Business Needs Only, the risk is minimized in either case. Secondly, regular training is needed specific to a person’s position, role, or function concerning potential threats, countermeasures, safety precautions, and what to do if an incident is actual or suspected. This is in addition to any corporate security awareness training.
- My IT or InfoSec department takes care of security.
Fact: Information security and technology departments indeed implement controls, policies, and frameworks to manage and reduce risks. However, security is the responsibility of all employees within an organization. That should be made clear in job descriptions, employee handbooks, and any agreements between the company and individual or third party.
A significant requirement of that responsibility should include reporting any actual or suspected incident through the proper channels. My motto is to report everything and let the security team sort out what is or is not valid. They are paid well, so I suggest transferring that liability to them.
My third and final mantra is reserved for security teammates and echoes through my head in the voices of football coaches and drill instructors. That mantra is Its Never Good Enough.
Cybersecurity is an ever-changing landscape. An effective security posture requires constant vigilance, continuous evolution, and, most importantly, the ongoing investment in technology and training. What was considered adequate a year ago, or even a week ago, could be obsolete today.
Tactics change. Technologies change. New things are introduced in and out of your network all the time. With these changes comes the potential for new or more significant threats. Cybersecurity programs, procedures, and tools must keep up for these threats to be minimized as much as possible.
Security folks: Fight for your budget using justified and applicable real-world scenarios. Focus on not only the security aspect and scare tactics, but also the efficiencies security brings to the table. Moreover, there are quantifiable efficiencies associated with a strong security posture. Security should never be considered a money pit. CFOs and financial folks: Ask questions and understand the importance of security initiatives. Realize the benefits of investing in security training and technology. I am not saying write us a blank check, although that would make life easier, but keep security at the forefront of your mind when making financial decisions. Leave room to upgrade those controls, evolve that technology and pay that CISO more money… for example.