October is National Cybersecurity Awareness Month—a collaborative effort by government and industry to raise awareness about the importance of cybersecurity. This year’s campaign emphasizes personal accountability and stresses the importance of taking proactive steps to enhance cybersecurity at home and in the workplace. Its overarching theme is “Own it, Secure it, Protect it.”
If this year’s campaign has made you take a harder look at your organization’s cybersecurity: Great! It’s had the intended effect. However, that also means you could be paying more attention to cybersecurity the other 11 months of the year too! The role of security is to protect so that stakeholders can perform business functions and processes; cybersecurity is no different, except that it is focused on digital assets. With that in mind I have another take on this year’s tagline to help make cybersecurity personal for you and your organization.
Do you know what you own? I challenge senior leaders to approach their CISO, CSO, or CRO and ask for the device inventory. Then, ask for the latest discovery scan results. Compare these documents to identify discrepancies. When—more likely than if—you find issues, ask for the change management tickets allowing the discovered devices to be brought online; as part of that process they should be entered into the device inventory. If you question what some of these things mean or are unable to use all of the basic management functions outlined, a serious evaluation of your commitment to security is needed. Fundamentally, if you do not know what you own how can you ever hope to mitigate loss?
Now that ownership has been established, what’s next? A good place to start is partnering with your heads of security and networking. While they should already do this on a regular basis, go over both a logical network diagram and the physical network diagram to map pathways for data ingestion and exfiltration. An unsecured asset running a vulnerable protocol internet facing makes for a great news article, but may be detrimental to your job security. Once an organization’s architecture is understood, stakeholders can begin developing a list of scenarios to determine how effective current measures are at mitigating risk in accordance with corporate policy and risk appetite. This includes making sure firewall rules effectively segment functions on a network; user permissions are role restricted; and appropriate authentication measures are used.
This phase is where we begin venturing away from the fundamentals and situations can become much more business-specific. You now know the layout of your house, so to speak, and have locked the front door; it is time to put in an alarm system and security cameras. Whether the company is a multibillion-dollar international powerhouse or a startup, preventing malicious activity from ever reaching internal systems is a monumental task. Most people are familiar with an antivirus provider, but protecting an enterprise requires a layered defense because a single point of failure is too risky. To meet a reasonable expectation of due care with protecting company information it is prudent to have:
- Email protection
- An inline intrusion prevention system with sandboxing
- A host-based detection system
- Network logging
- Security information and event management (SIEM) software
- A firewall
- A data loss preventions system
- User training
This list begins a conversation about preventing security compromise or mitigating the severity when one happens, but you also need post-incident processes. A business continuity disaster recovery plan (BCDR) serves as a flashlight in the dark to get the organization back on track. At a minimum it will outline roles, responsibilities, contact information, backup recovery options, alternate work options, and testing criteria that include exercises.
The Onus Is on You
If you are a stakeholder at any level within your organization, and something in this article was unfamiliar to you, good. Find teammates internally who can answer questions and help you better understand what contribution your efforts make in keeping the enterprise operating. This can range from being a section leader in a disaster recovery scenario to helping the security team understand uptime requirements and SLAs to better serve customers.
Most cybersecurity professionals are like the stagehands dressed all in black at a play—you should be largely unaware of their presence and if operations run smoothly you can watch the entire show without giving more than a passing thought to them. I encourage you to become actively involved in reaching out to your local security professionals during Cybersecurity Awareness Month to learn risks specific to your organization and report suspicious activity year-round.