If you are reading this, then you have probably thought about what it would be like to get a call at 2:00am tomorrow and be notified that your company has been crippled by Ransomware. What would you or your company do in the face of demands to pay hefty amounts of money to get your data back? and to prevent that data being publicly released?
This may lead to the question “What should we do about it?” and in many respects that is exactly the right question to ask, but the answer that comes back is often “too many things”, which I would suggest is exactly the wrong answer. So, what is the right answer … quite simply “do the next thing”. The issue is that Security is a huge problem and has so many facets, it is hard to even know where to begin, but begin, we must.
I appreciate our Security experts in the industry, building vast and deep frameworks that map all the various areas in the Enterprise. They provide us the roadmap to building a strong and resilient business capable of facing many of the most dangerous threats. They guide us in how to manage our people, our policies, and our processes to keep ours and our customer’s data safe. But they can also be prone to overwhelming us, terrifying us, and ultimately driving us to a point of paralyzed despair.
This is the point when we must resist the urge to stick our head deep in the sand (and yes, I know Ostriches burying their heads is a myth), but rather stand up straight, set our eyes on the horizon and take the next step, for this is a journey, and every step we take moves us forward.
So, where do you begin?
If the beginning of wisdom is knowledge, we need to start with knowing our weaknesses and understanding the threats those weaknesses offer. This is why Security Assessments based on tools such as SANS CIS Controls offer such value, they break down the problem into defined areas to be addressed and then provide lists of specific “Controls” which can be applied to each of those areas to improve your security posture.
If, however, you discover there are dozens of failings in your security posture, we then need to build out the process to fix that, and there the spectre of huge costs begins to discourage even the most determined Executive team. As the project costs begin to stack up, one upon another, we are again tempted to say,“it’s all too hard”, our shoulders droop and we begin again to look at the sand beneath our feet and wonder if maybe we should just stop thinking about it?
Now is the time to look at that motivational poster on the wall “Challenge – Anything unattempted remains impossible”, and we take our next step.
There is much we can do with minimal effort and little cost, go there first, teaching your people the importance of security, building or reviewing your policies, and building good processes around your business operations can be invaluable in raising your security posture.
For a practical example, Comparitech, a cyber security research site offers a password strength test tool (please don’t use your real password there), but this tool suggests a weak password such as “Abadpw!” can be cracked in only 10 minutes while “T1apgPWtpmdw!” would offer 11 million years of protection using current computing resources.
Of course, the second password seems nearly impossible to remember, until I point out that it is a simple sentence “This 1s a pretty good PassWord to protect my data with!”. By teaching good password hygiene, encouraging complex passwords, leveraging password managers, and enforcing strong policies on all your hosts, you have significantly reduced the risk of password leakage being the cause of attacks like the one that brought Colonial Pipelines to its knees.
And I will leave you with one last piece of advice, you don’t have to do it alone, that is why companies like Charter are building security practices. We can walk with you on the journey to raise your posture step-by-step. The only bad thing to do in securing your business is nothing!
I’ll be back with some more thoughts soon.
Author: Ronnie Scott (CTO)