Your Security Needs a Fitness Plan

Your Security Needs a Fitness Plan

I began skiing when I was 12.?I grew up in Florida, but we would come up north occasionally to visit my aunt and uncle and they would take me, my brother, and our cousins out on the slopes.

I loved it and I kept skiing for many years after that. But eventually, wear, tear, and (gulp) age got the best of me and I ended up needing hip surgery.

And, of course, you don’t keep skiing after you’ve had hip surgery.?Unless…

…you see how much your kids enjoy skiing and you decide to come out of retirement so that you can join them!

But it’s not that easy to get back in the groove after seven years off; I knew I needed to first get stronger. And so I set a goal: By December of this year, I plan to be skiing with my kids.

My strengthening strategy is pretty simple: Do?something?every day.

Some days it’s a long, full-body workout. Some days it’s a 90-minute bike ride. Some days, when I’m feeling really beat up, it’s just 10 minutes of stretching. This morning, I tried yoga for the first time.

What I do each day varies but showing up is the key. I’ve made it a habit and I do my best to never break it.

Cybersecurity is a Habit, Too

Like exercise,?cybersecurity is most effective (and least painful) when you do it regularly.

You need not go full steam every day — doing so can be counterproductive, as you’ll likely get burned out if this is not your primary role. Regularity is what matters.

Also, like exercise, it can take time to “get in shape.” There are no magic bullets. However, there are some important things —?fundamental things?— that you ought to take care of as soon as possible. I promise, the risk reduction to your organization will be significant.

I’ve grouped these tactics (there are nine of them) into three buckets, in ascending order of difficulty and time required:

Bucket #1: Things That You Set Up Once

Bucket #2: “Beginner” Projects

Bucket #3: Ongoing Programs

Things That You Set Up Once

No matter how small your company, there is a 1–10% chance that you will get phished, wire transfer frauded, breached, or become the victim of a ransomware attack.?Doing these things will lower your risk profile:

#1.?Turn on Multi-Factor Authentication.?This two-step requirement for log-in to any password-protected location raises the bar significantly for any bad actor that seeks to infiltrate your organization.

?#2.?Have an expert configure your email and DNS securely.?The default settings within popular email systems are often poor (I’m looking at you, Microsoft 365). This step will reduce the likelihood of spoofing emails coming into your environment as well as others sending emails while pretending to be you or a member of your organization.

#3.?Establish training for your personnel on phishing and SMishing messages (messages sent via text).?The people inside your organization are the first line of defense. They also tend to be the weakest link against the bad guys.

“Beginner” Projects

These next three are projects.?Not super-difficult, but unlike the three above, they require an ongoing commitment.

#4.?Anti-virus / Endpoint Detection and Response (EDR).?You’d be surprised how many folks need convincing before agreeing that this is necessary. But like a daily consumer of Big Macs who goes vegan after his first heart attack, just one episode of this type will change your mind.

#5.?Inventory your data / systems.?You can’t protect what you don’t know exists. For any reasonably-sized company, these items number in the hundreds. Commit to knowing what and where everything is.

#6.?Create an Incident Response Plan (and practice it).?The worst time to start thinking about how you’ll respond to a security incident is while it’s happening! Think through what could occur and plan accordingly before it does.

Ongoing Programs

As I have moved through a variety of strength workouts, I have started to think of myself as “intermediate.” But I still come across?muscle groups that I am ignoring?(thank you Serratus anterior!).

It’s the same with cybersecurity.?We often find even mature companies missing some of these basic, but essential, controls:

#7.?Quality Backups.?Most companies I’ve worked with have problems in this area. An important system has been missed; testing is not happening; the backup is not encrypted; the key is not being managed properly. Unless someone is proactively overseeing this, there are bound to be holes.

#8.?Patching.?This is a time-intensive, behind-the-scenes activity that needs constant attention. And people hate doing it! Just ask the folks at Equifax that had a known bug on its web site for two months due to a patching oversight.?

#9.?Good Password Management.?Even if some people within your organization are handling this well, all it takes are a few who are not to leave you vulnerable. If you have 100 people with access to 100 systems, that’s 10,000 doors that are potentially left ajar. Make sure you are continually reinforcing the importance of this with?all?of your people.

This is Just the Beginning

Is this an exhaustive list? No!!! That would be a book, not a newsletter.

But you don’t need a full-blown cybersecurity program in place to start tackling these things now.?Start where you are, take care of what you can as soon as possible, and commit to making cybersecurity an ongoing habit within your organization.

Do that, and by the time you see me schussing by on the slopes in December, you, too, will be in way better shape!

Want to get great cybersecurity content delivered to your inbox??Click here?to sign up for our monthly newsletter, Tales from the Click.

This article was originally published on the Fractional CISO blog.

Craig Taylor

Founder, entrepreneur, thought leader, and cyber literacy visionary.

2 年

A picture is worth 1000 words... and so I loved your flywheel of MFA, Awareness Training and Patching... on and on that goes... you must continue that always. Keep up the great commentary Rob!

Gabe S.

CISO | InfoSec | Risk Management | GRC | Consultant | Business Administration | Bridging security expertise with business reality.

2 年

Simplified, effective, and actionable.

Justin Armstrong, CISSP, HCISPP, MS

CISO with a focus on Life Sciences, Healthcare, and Tech Companies of all size

2 年

No one ever seems to want to accept the good advice. Many expect the Doctor to give them some kind of miracle pill that will solve whatever problem they have, when often they just say "exercise regularly, eat well, sleep, and drink plenty of water." It's the same in cybersecurity - too often people want the latest technical fix (and there are some that are necessary as noted here) rather than to consider that maybe what they need is some rigor and process.

CHESTER SWANSON SR.

Realtor Associate @ Next Trend Realty LLC | HAR REALTOR, IRS Tax Preparer

2 年

Well said.

Jacob Horne

CMMC Town Crier | Ask me about NIST security controls | Smashing compliance frameworks for fun and profit | Cyber policy wonk |

2 年

If steady, habitual progress leads to baseline security fitness then security vendor marketing is definitely the Liver King.

要查看或添加评论,请登录

Rob Black的更多文章

  • Cybersecurity Needs Your Attention

    Cybersecurity Needs Your Attention

    December. That magical time of year when so many conversations turn to… … the pick and roll, great team defense, smart…

    3 条评论
  • Cybersecurity’s Unanticipated Benefits

    Cybersecurity’s Unanticipated Benefits

    Longtime readers of this newsletter may assume that the only professionals I ever call to my house for assistance are…

    11 条评论
  • Cybersecurity Controls – All Are Not Created Equal

    Cybersecurity Controls – All Are Not Created Equal

    The last time I bought a new pair of ski boots was the late 90s. Just to give you some sense of how long ago that was…

    4 条评论
  • Why you need a Quantitative Cybersecurity Risk Assessment

    Why you need a Quantitative Cybersecurity Risk Assessment

    You are presented with two arguments about who is going to win the Super Bowl this weekend. Which sounds more…

    3 条评论
  • Top 5 Rob & Rob Videos of 2024!

    Top 5 Rob & Rob Videos of 2024!

    I am settling into my role as the principal member of the one-man short-video sketch comedy troupe Rob & Rob. This…

    8 条评论
  • Prepare for the Cybersecurity Championships!

    Prepare for the Cybersecurity Championships!

    The NBA season kicked off last night. This year, our beloved Boston Celtics are favored to win it all, again! I…

  • Let’s Get Physical

    Let’s Get Physical

    “Dad, the house alarm went off!” This is not great news at any time of day, but it’s especially unnerving when your…

    3 条评论
  • What’s Your “After Action” Plan?

    What’s Your “After Action” Plan?

    It shouldn’t have been a problem. After all, what could possibly go wrong helping a vacationing neighbor whose plants…

    7 条评论
  • Do You Have a Golden Cybersecurity Questionnaire?

    Do You Have a Golden Cybersecurity Questionnaire?

    It’s that time of year again – my two kids head off this month to overnight camp. They had a great time last summer:…

    12 条评论
  • Don’t Ignore the Warning Signs

    Don’t Ignore the Warning Signs

    Our house is only 18 months old. At this point, few things need repairing, painting, or upgrading.

    6 条评论

社区洞察

其他会员也浏览了