5 basic cyber security lessons for all
- 1 Pay attention to these 5 basic cyber security lessons.
- 1.1 Lesson 1: Start with the company (and its risks)
- 1.2 Lesson 2: Create a roadmap with a clear goal, step by step
- 1.3 Lesson 3: Covers the basics before deploying more advanced solutions
- 1.4 Lesson 4: Establish Appropriate Relationships
- 1.5 Lesson 5: Involve everyone, it’s the only way to success
- 1.6 Donna Small
We recently overview the opportunity (very funny and interesting, by the way) to review a series of conferences on information security and cyber security. These congresses spoke mostly of relatively new developments that are trends, such as NextGen, Internet of Things (IoT), DDoS attacks through IoT, security intelligence platforms, etc. The fact that some of these terms have become fashionable is not a problem in itself, but we begin to wonder if the world of security will not be seeing things the wrong way and, therefore, leaving aside some Issues you need to address.
Mainly, we realized that most organizations do not have implemented basic security measures, avoid much less advanced solutions. Then you need to know the starting point.
We always celebration of Safer Internet Day, which is celebrated around the world each year with the aim of promoting the responsible and safe use of new technologies. This year, the date agreed was February 7 and the motto chosen was “Be the change. United for a better Internet. “In that spirit, we explore a new perspective on cyber security, understanding it as a goal in itself, rather than something that is directly related to the needs of a company.
Pay attention to these 5 basic cyber security lessons.
Lesson 1: Start with the company (and its risks)
Although practicing safety can be exceptionally complex, its spirit is quite simple. It is nothing more or nothing less than reducing or taking risks, and making them visible. So that the company can accept them and continue with their work. To do this the most effective and efficient possible way, as security specialists, have to understand the operation of the company and not only see security from an IT perspective, but from the broader commercial perspective.
When starting from the company, we must first identify, create a scheme and categorize the risks of the specific business. Secondly, they have to determine what to treat and in what order.
In doing so, the person responsible for security within the company has to establish a security plan that describes how these changes will be implemented. It is necessary to set clear goals and deadlines. Ideally, it should be done in a “smart” way, one step at a time, not to get involved in too many projects at the same time.
Lesson 2: Create a roadmap with a clear goal, step by step
It is essential to define your approach to safety, which should be discussed with the relevant factors of the company on a regular basis to make adjustments where and when necessary. During the creation and execution of the road map, the projects that are defined will contribute to reduce the risks and to reach the final objective.
It is important not to lose sight of the specific objectives of the company, because the people responsible for the task should not “restrict or obstruct” the business with its security measures. It is a task that does not require much science and should be treated in a simple way. Creating a plan should be something that everyone can understand, even those who have no IT skills. Of course, IT has a role, but only at the last moment, when implementing solutions for the execution of security projects.
Lesson 3: Covers the basics before deploying more advanced solutions
In analyzing what was observed in the conferences, we realized that most organizations do not even have basic security measures implemented, they have much less advanced solutions. Security companies’ presentations on these technologies are often astonishing and offer interesting content, but are actually too advanced for most organizations.
In addition, experience shows that most attacks (around 90%) continue to use methods and exploit the simplest weaknesses: phishing emails, malware attachments … And, of course, the weakest link.
Therefore, companies first need to create basic security solutions for these simple risks before putting their attention on more advanced technologies. Of course, these other solutions are also important and should be implemented in the future, but only after having strengthened the basics.
Often during security conferences emphasis is placed on sophisticated threats and APTs (advanced persistent threats); however, companies like TalkTalk and Ashley Madison could have been protected from attacks if they had only had basic security.
Lesson 4: Establish Appropriate Relationships
Cooperation between IT security professionals is essential. As new technological developments emerge, groups and individuals with malicious intentions use increasingly varied and advanced attacks and tactics. Over time, the most advanced security solutions will become inherent in every organization’s plans. However, it is necessary to lay the foundations before you can build a house. And to build it, cooperation between the architect, the real estate agent, the mason, the painter and, of course, the owner is necessary.
This idea of building something together is exactly what should happen in the world of cyber security. We have to cooperate intensely because, as in the construction of a house, there is no owner or architect who is also the best in masonry, painting or construction.
No security company has the best solution for each risk, so it is essential to work together. Those who cause harm are already cooperating with each other, so it is time for security professionals to do the same. We have to start with the owner (the company) and the foundations (the road map), and then forge relationships with the right contractors (security providers). Only then can a strong, reliable and safe house be built.
Lesson 5: Involve everyone, it’s the only way to success
To advance cyber security and business, there must be understanding and support on the part of the company, and vice versa. Security officers should be able to provide brief and clear explanations so that all the different actors in the company can participate. Otherwise, the company (and managers) will never understand and will not support enough plans to be implemented (no matter how good they are). As Einstein once said: “If you cannot explain it simply, you do not understand it enough!”