October is National Cyber Security Awareness Month and in keeping the National Cyber Security Alliance’s theme for week two, “cyber security in the workplace is everyone’s responsibility,” I’d like to share some thoughts from a recent interaction with a small business leader.
Last Friday, my colleague and I met with a startup CEO in Boulder to discuss her cyber risk needs. Like most executives, she had many things on her mind and was very busy – it was obvious from the two backpacks, coffee mug, notebook, and jacket she juggled as she entered the conference room. After we settled in and got into the conversation, her request was simple: how can she rationalize all the buzz about security and come up with a plan that is complete and becomes a part of her organization’s culture?
While security in the workplace is everyone’s responsibility, executives can delegate the authority to act but not the accountability. Risk reduction starts at the top and executives need to distill an ocean of hype into something reasonably actionable. But where should these leaders look to get a start?
A couple of weeks ago, I mentioned the Center for Internet Security’s (CIS) Guide for Small and Medium Size Enterprises (SMEs) as a good place to begin this journey: https://www.cisecurity.org/white-papers/cis-controls-sme-guide/ In fact, this is the very link I sent to the CEO’s tech person after the meeting. Based on our experience with SME’s and this body of work, our recommendation was that similar sized companies take the following actions:
- Create a managed list of those devices allowed on your network. Also create a list of those devices not allowed on your network. Whitelisting creates a map of devices that need to be defended on the network. Blacklisting is an easy way to quickly identify troublesome agents.
- Understand the software used by your organization. This is important to a) prevent shadow IT from creeping in and b) having a map of those packages that require security patching; patching can be the greatest defense against cyber intrusion. Additionally, this control is necessary for implementation of control number 4 below.
- Make sure your hardware and software are configured for security. Remove those default admin passwords, setup new accounts, implement role based authentication, enable multi-factor authentication, understand the security capabilities and align your use to the business needs.
- Patch, patch, patch. Implement a system to ensure your hardware and software are updated with the latest vendor patches. Equifax might have have prevented a lot of heartaches if this one control was followed.
- Create policies and a culture of least privileged access. This is probably the hardest to implement in the fast-paced environment of a small business. It’s also the control that will get you the most mileage when the bad guys get ahold of that password somehow.
Train your team and make risk reduction a cultural tennet. Security Awareness is critical, but be sure to put it into context of your business systems in order to best educate your employees and suppliers.
These processes can be folded into everyday behavior in a small or midsized business if the corner offices are involved in creating and modeling the culture. They also provide a sound foundation for more quickly identifying threats, protecting against them, detecting when they occur, responding, and recovering. CEO’s need to recognize this is the most crucial part of their overall risk profile. It is said that “fish rots from the head”. Despite how busy our corner offices may be, best practices and a healthy environment of risk abatement starts at the head too.
I hope we helped simplify at least one of those items our CEO friend was juggling.
*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Security offerings reduce your risk at the Infrastructure, Network, and Application levels.