Your Security Needs a Fitness Plan

I began skiing when I was 12.?I grew up in Florida, but we would come up north occasionally to visit my aunt and uncle and they would take me, my brother, and our cousins out on the slopes.

I loved it and I kept skiing for many years after that. But eventually, wear, tear, and (gulp) age got the best of me and I ended up needing hip surgery.

And, of course, you don’t keep skiing after you’ve had hip surgery.?Unless…

…you see how much your kids enjoy skiing and you decide to come out of retirement so that you can join them!

But it’s not that easy to get back in the groove after seven years off; I knew I needed to first get stronger. And so I set a goal: By December of this year, I plan to be skiing with my kids.

My strengthening strategy is pretty simple: Do?something?every day.

Some days it’s a long, full-body workout. Some days it’s a 90-minute bike ride. Some days, when I’m feeling really beat up, it’s just 10 minutes of stretching. This morning, I tried yoga for the first time.

What I do each day varies but showing up is the key. I’ve made it a habit and I do my best to never break it.

Cybersecurity is a Habit, Too

Like exercise,?cybersecurity is most effective (and least painful) when you do it regularly.

You need not go full steam every day — doing so can be counterproductive, as you’ll likely get burned out if this is not your primary role. Regularity is what matters.

Also, like exercise, it can take time to “get in shape.” There are no magic bullets. However, there are some important things —?fundamental things?— that you ought to take care of as soon as possible. I promise, the risk reduction to your organization will be significant.

I’ve grouped these tactics (there are nine of them) into three buckets, in ascending order of difficulty and time required:

Bucket #1: Things That You Set Up Once

Bucket #2: “Beginner” Projects

Bucket #3: Ongoing Programs

Things That You Set Up Once

No matter how small your company, there is a 1–10% chance that you will get phished, wire transfer frauded, breached, or become the victim of a ransomware attack.?Doing these things will lower your risk profile:

#1.?Turn on Multi-Factor Authentication.?This two-step requirement for log-in to any password-protected location raises the bar significantly for any bad actor that seeks to infiltrate your organization.

?#2.?Have an expert configure your email and DNS securely.?The default settings within popular email systems are often poor (I’m looking at you, Microsoft 365). This step will reduce the likelihood of spoofing emails coming into your environment as well as others sending emails while pretending to be you or a member of your organization.

#3.?Establish training for your personnel on phishing and SMishing messages (messages sent via text).?The people inside your organization are the first line of defense. They also tend to be the weakest link against the bad guys.

“Beginner” Projects

These next three are projects.?Not super-difficult, but unlike the three above, they require an ongoing commitment.

#4.?Anti-virus / Endpoint Detection and Response (EDR).?You’d be surprised how many folks need convincing before agreeing that this is necessary. But like a daily consumer of Big Macs who goes vegan after his first heart attack, just one episode of this type will change your mind.

#5.?Inventory your data / systems.?You can’t protect what you don’t know exists. For any reasonably-sized company, these items number in the hundreds. Commit to knowing what and where everything is.

#6.?Create an Incident Response Plan (and practice it).?The worst time to start thinking about how you’ll respond to a security incident is while it’s happening! Think through what could occur and plan accordingly before it does.

Ongoing Programs

As I have moved through a variety of strength workouts, I have started to think of myself as “intermediate.” But I still come across?muscle groups that I am ignoring?(thank you Serratus anterior!).

It’s the same with cybersecurity.?We often find even mature companies missing some of these basic, but essential, controls:

#7.?Quality Backups.?Most companies I’ve worked with have problems in this area. An important system has been missed; testing is not happening; the backup is not encrypted; the key is not being managed properly. Unless someone is proactively overseeing this, there are bound to be holes.

#8.?Patching.?This is a time-intensive, behind-the-scenes activity that needs constant attention. And people hate doing it! Just ask the folks at Equifax that had a known bug on its web site for two months due to a patching oversight.?

#9.?Good Password Management.?Even if some people within your organization are handling this well, all it takes are a few who are not to leave you vulnerable. If you have 100 people with access to 100 systems, that’s 10,000 doors that are potentially left ajar. Make sure you are continually reinforcing the importance of this with?all?of your people.

This is Just the Beginning

Is this an exhaustive list? No!!! That would be a book, not a newsletter.

But you don’t need a full-blown cybersecurity program in place to start tackling these things now.?Start where you are, take care of what you can as soon as possible, and commit to making cybersecurity an ongoing habit within your organization.

Do that, and by the time you see me schussing by on the slopes in December, you, too, will be in way better shape!

Want to get great cybersecurity content delivered to your inbox??Click here?to sign up for our monthly newsletter, Tales from the Click.

This article was originally published on the Fractional CISO blog.