SECURITY MINDSET

When talking about security with people, I always hear “Which technology or solution did you implement, or do you recommend?”.

Discussions are always oriented to technical solutions; This repeated question gave me the idea to write this article.

IT security is evolving; in fact, the whole world is evolving! We need to adapt our mindset.

Remember:

Few years ago, the question was “Will I be attacked one day?”

Now, the question is “When will I be attacked?” or even “Have I already been attacked?”

In security, there are 3 pillars: PEOPLE, PROCESSES, and TECHNOLOGY.

10-20 years ago, every company had basic security solutions, like antivirus, firewall, proxy… as the technology changes, we are now going few steps forward by encrypting data, adding internal firewalls, and implementing a lot of new solutions. But you can invest as much as you want, you will never be 100% secure, particularly if you don’t work on People and Technology.

When talking about security, I like to take images from the physical security as it makes it easier to understand:

When you measure the security level for a safe, you calculate the time required to open it. If you want your safe to be more difficult to open, you can buy a stronger safe or you can install your safe is in a secured room with limited accesses, in a secured building, and ensure nobody will open the door to attackers. On top of this, you will install some monitoring (cameras; alert when someone open the door; record all visitors in the room;…).

A good example I like to talk about:

While travelling for one of my previous company, I had to travel to a remote office where I didn’t have any access (no badge). The first day, I talked with a security guard in the garage and asked him what was the best way to get in town. The day after, this security guard was at the main entrance of the building and he was verifying the badge of every single person getting into the building, but he didn’t ask my badge as he remembered our discussion in the parking. So, he let me get into the building and access the floor I wanted to go. When I arrived on the correct floor, a maintenance guy was cleaning the window of the door. I only had to knock on the window and he opened the door for me. I was able to get into the building, install my computer, and work for 2 hours before someone came and asked me what I was doing there. The technology was there, but processes were not respected by people.

So… before investing too much in technology, start to review your processes and COMMUNICATE them! Start with the basics, like how to manage passwords. By example: Do you have a process for the helpdesk to reset the password when an end-user is calling? The helpdesk team cannot recognize everybody on the phone; They need to ask few questions for authenticating the user. And the helpdesk team also needs to be educated to always follow the process: This is not because it’s a VP or the user is angry on the phone that you need to bypass the process.

In all examples I have provided, Processes are linked to People, because people have to follow and respect processes.

The very important point is then to educate your end-users and change their mindset, but also to find the correct balance in your security policies and processes (too low, security is sucks; too much constraints, end-users will try to bypass it). Educate your employees with clear images and try to make them change their habits at work but also in their personal life. If they can understand the risk and apply it at home, you have a better chance they will respect it at work!

And like everything you bring in a company, monitor it: Audit or test it, then communicate to users and explain to them what they did wrong and risk/impact for the company.

It is interesting to see that people are ready to provide any information in order to participate for free in a lottery! (some people will also provide you’re their details 4-5 times to increase their chance to win)

If I could recommend something:

Build your security by layers, ALWAYS People, Processes, Technology!

Have MULTIPLE levels of protection (a safe is not enough… protect the safe in a room and protect the room where the safe is!)

Nothing is secured at 100%, it’s always a question of time!

But if you can have different levels of protection and every level is secured at 95%, the attacker may stop at some point, or you will have identified him before he arrives to the safe!

This gives me an idea for a next topic: monitoring!

#Security, #Mindset