Cybersecurity Basics – Tech Lords
OR My Other Car is a Police Call Box
This three-part series covers the basics of cybersecurity for three different user levels. The final entry speaks to the administrators, the technical gurus that keep data flowing and businesses running. What wisdom can possibly be imparted upon such tech heads that they don’t already know? There is always more to learn in the world of technology!
Train Them, and They Won’t Succumb – Training users or your family is an excellent way to share your knowledge. By keeping them up on the latest scams, you impart upon their knowledge to recognize a phishing email or phone call. You empower them with the confidence that they are not just scared sheep. Be the good shepherd and teach your sheep to beat up the bad wolves.
Put Power Users to Work – Some users are more technical than others. While you wouldn’t give them an administrator password, you can speak to them more digitally. No, you’re not whistling to them in binary, but they understand the jargon and have a sense of how the technology works. Power users can disseminate information and better explain it to the less technical. Give them the ability to work with other users and see how much easier your job becomes.
Security Incentives – You catch more flies with honey than vinegar. Rewarding users and fellow employees with trinkets or candy for following IT security protocols help reinforce them. Test them by not using your badge or tailgating and remind them of the rules. Explaining why the rules are in place will help the non-technical understand and be more apt to follow the rules.
Written Contingency Plans – Every corporation should have written contingency plans for any emergency, even things that have never happened before. This process can be daunting and involves every department, especially management. Having a written, tested plan will prevent chaos and disorder when a disaster does strike. Written plans also limit corporate liability and could lower insurance premiums.
Correct, Don’t Punish – Individuals cannot be held responsible for failing at security if not properly trained. Even so, curiosity and the want to help others are often exploited by threat actors. When someone accidentally allows a person in the building or opens a virus-laden email, it is important to remember their humanity. The requirement to be technical security guards is a new role for most employees outside of IT.
Monitor Your Alerts – Even Artificial Intelligence running inside a Security Event and Incident Management (SEIM) system cannot catch nuances and other attempted intrusions. Be sure to have a well-trained technical engineer monitor logs for things the system may not have alerted on. Monitor every device, including your Internet of Things (IoT) and peripheral devices. If it has a network connection, it can be manipulated to access your network. Segmenting IoT devices on their own protected virtual network (VLAN) is recommended.
Really Lock Down the Network – Wireless network vendors offer plenty of tools to identify and prevent rogue wireless devices from attaching to your network and deceiving users. Using a central security system can ensure only corporate assets connect, whether physically or through wireless. Requiring certificate-based authentication to your directory services provides authentication and can allow encrypted end-to-end traffic, hiding data from sniffing attacks and eavesdroppers.
Take a Stroll – The real world cannot be seen through a monitor. Get off your duff and put your eyes on the devices and systems under your management. Pay special attention to the environment in your data closets and server rooms. You can’t always trust a humidity or temperature sensor.
Make IT Personal – Take time to talk to managers and users in their environment. Let them see you aren’t constructed of old laser printer parts. Small unreported issues could be indications of attempted security breaches or early indicators of equipment failure. If you are brave, ask the user community for comments and recommendations!
Seek Outside Help – Most organizations require annual security reviews to maintain compliance, whether it is PCI DSS, HIPAA, or SOX. Allowing an outside company to test your defenses is intelligent, especially if vulnerabilities are identified and resolved before they can be exploited. Work with attorneys to craft acceptable use agreements and contingency planning standards. You cannot be the expert at everything.
Test Your Defenses – Many IT security companies provide digital penetration testing, but some, for the right price, will physically test your security. One story tells of a tester gaining access to the building, sitting in on a board meeting, and handing confidential corporate data to the CIO in his report. If you’re truly concerned with your security, testing and Contingency Plan scripting are highly effective.
Backups – Time to preach! Backups are useless if they cannot be restored. Regularly test that all backups can be restored. The ultimate test is to completely restore the environment and confirm data integrity on separate hardware, as though recovering from a total failure. Only then will you know your disaster recovery plans are valid.
The technical leader of an organization has a duty to protect the data and users from threats, both inside and out. Training other eyes and ears is a great first step. You can’t do it alone, and you shouldn’t try. Be a good shepherd but put your sheep to work. Regardless of what disaster comes along, you’ll be ready to meet it head-on.