Nowadays, there is an abundance of services revolving around cybersecurity. There are gaps and problems and tools are built to solve these problems and address these gaps. The issue is when a security program is built around these products, but no one has done the basics. When dealing with cybersecurity issues, it can be easy to freak out and look for the first big solution that is available to fix it. However, stepping back and fully evaluating what needs to be done can be the difference between fixing the problem once and fixing it long-term.
In sports, the most talented individual is not always on the best team. What does the best team do that often highly talented individuals miss? Fundamentals. So, what are the cybersecurity fundamentals? We start by identifying what we have: systems, hardware, software, data, and people. Then what are the common threats to these particular types of assets? Next, how do we protect them, again based on the common risks to these types of assets. Finally, if the protections are not effective, how do we detect, respond and recover?
Based on the above, it makes sense to do these things in the order presented. Identifying what your company does and doesn’t have requires no spending, just resources and effort. Often what we see in reality is that the protection of assets is the focus, but identifying those specific assets in the first place is not. If your company doesn’t correctly assess what they truly need, it would be easy to spend money on tools that may not be ideal for what will efficiently protect your firm’s information. We have seen examples of organizations who spend far more cleaning up frequent messes than they would if they took a more all-encompassing approach.
So, where should you begin?
A third-party assessment is a good start, but make sure it will review your cybersecurity based on priority. For example, a list of recommendations is useful, but more useful if the risk is ranked and even better if listed top to bottom most critical to lower criticality. Some of the recommendations fold together, so it’s good to understand how each individual tool could be beneficial to the needs of the firm. Budgets are not infinite so we need to find where to put our money and effort to get the most bang for the buck.
Here are a few things that you can check for yourself:
- Are your users local administrators on their workstations?
- Do you use the same local administrator account on all your computers?
- Do you know what is exposed to the internet through the firewall?
- Do you require multi-factor authentication (MFA) for remote access?
- Do you know if any outside vendors can access the network remotely without notice?
- Are all your systems patched and can you prove that no critical patches are missed on any systems?
- Do your IT folks use admin credentials as their normal sign in?
- Do users only have access to what they need to do their job?
- Is your network segmented (in other words, can every machine talk to each other on any port)
The common thing you may note from that quick list, most cost nothing except time. The bottom line is there are great tools out there to better your cyber security programs, but you have to go back to the basics first.