Cybersecurity is a serious task for any business, but there is no need to panic and it can be tackled effectively.
Given that I don’t know anything about your business, this question is the IT equivalent of asking “how long is a piece of string?” Most writers will adopt a scaremongering approach, perhaps citing some breach statistics from published surveys, aiming to drive readers towards a particular product or range of products. Alternatively, the goal might be to reinforce a personal belief that one form of attack is more dangerous than another.
Businesses will adopt a security posture that they can afford, support, and maintain. I myself rely on Windows default antivirus and antimalware solutions, a router that provides firewall and my own security awareness. So far, I’ve not been breached, but I’m also not exactly a high-profile target or in an industry attractive to cybercriminals. Yet, I still receive more than 50 phishing or malware emails every day.
I’m not too worried about this because, thanks to regular file backups and disc images, I can restore my entire network in less than an hour if the worst occurs.
However, companies need more. What advice is essential for startups considering a cybersecurity policy? Is there an off-the-shelf solution to suit everyone?
Cybersecurity professionals can baffle non-techies when discussing their area of expertise, but the concepts involved are far from complex once the jargon is removed.
“Like football, it’s mostly about the basics: blocking, tackling – and not fumbling. So that means good code, thoughtful data science, traditional analysis, and clear writing. It is hard to predict the future of information technology, so cling to the basics,” said Kenneth Geers, senior research scientist at cybersecurity firm Comodo and NATO Cyber Center ambassador.
“I recommend an open philosophy, being flexible, mixing in different approaches, and creating your own, unique blend of information technology and information security,” added Geers.
Your IT team is the first port of call when rolling out a cybersecurity policy. If you don’t have one, then meet with a consultant to discuss your options. My recommendations include, but are not limited to:
Audit Infrastructure for Cybersecurity Threats
Have the details of your planned, or existing, infrastructure available (the number and specifications of workstations, servers and other hardware). Also include which software is installed. Even a free audit tool such as Belarc can assist with this task.
You now know what you need to protect, and you can identify if software needs security updates.
1. Consider External Links
Your broadband connection, Wi-Fi, VoIP and use of mobile devices are other important considerations. You may have a connection to the cloud, whether that be private or public.
You may have to comply with certain standards or regulations that apply to your industry or jurisdiction. Many of these standards indicate a security ‘best practice’ that could simplify your cybersecurity plan.
3. Identification and Selection
Based on the answers to the points above, you can speculate which hardware and software-solutions would be most beneficial. For most, antivirus and antimalware are obvious options, but there are also many others to choose from. Again, selection may depend on budget (cost per user), desired features, or interoperability with existing equipment or operating systems.
As stated previously, it’s pointless to be an early adopter of the latest in endpoint technology or machine learning if your internal team cannot support and configure it. The goal should be to provide regular technical training on security awareness in order to automate as much as possible while ensuring that users will not make silly mistakes.
Upgrade Your Humans
Even the best or most expensive (and they don’t necessarily overlap) cybersecurity solutions are often bypassed. What is the biggest possible threat?
“Definitely the human element. Everything is asymmetric in cyberspace, but success begins with education, technical training, and awareness,” said Geers.
User awareness of potential threats is the key to success.
“Any tool can be used for good or for ill, for profit or for loss. Within the enterprise, everyone must play from the same sheet of music, and that starts with regular meetings of the mind,” said Geers.
Your basic antivirus software per workstation is not obsolete, as alert and update mechanism have evolved to be much faster these days.
“Anti-virus is foundational. But nothing is a silver bullet. Security is about people, processes, and creating a holistic philosophy that will carry you through good times and bad. That said, keep your anti-virus up-to-date,” said Geers.
It’s worth repeating: there is no silver bullet that secures everything.
When asked about his ideal security posture, Geers quoted Sun Tzu “The Art of War teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.”
Rather appropriate I think, given that the whole security versus breach campaign is simply two camps battling it out in cyber space: one trying to exploit vulnerabilities while the other tries to eliminate them.
Eat, Drink and Be Merry for Tomorrow a Hacker will…
Finally, as readers throw up their hands and shout “He’s not telling me what to do about cybersecurity!”, I respond “Sure I am!” Follow a logical process, as outlined above, to determine what you need to protect. Next, protect it according to your budget and IT resources. Outsource your IT if you need to and ask advice from security professionals. Panic is never necessary. Just follow Geer’s final piece of advice:
“Take a deep breath. Cybersecurity is a serious challenge, but very few data packets are lethal.”