Posted in Books, Security

10 cornerstones for managing cyber security

I recently read a book titled Cyber Crisis that has a mission to convince every business manager and a person who owns a phone, computer, game console or an electronics device that cybersecurity is everyone’s business. The author Eric Cole, an industry-recognized security expert, has written an easy to read book that explains why and how absolutely every organisation and every person must protect their connected devices from online threats. Here are the 10 key points that summarize the fundamentals of a long term cyber security strategy.

You are a target.

Like it or not, but everyone who has any type of device connected to the internet is a target. Perhaps you think you don’t have that much money for criminals to be interested in you, or you have a virus scanner on your PC. Wrong attitude. You probably have an online bank account, and credit or debit card. They are key targets for criminals. It is likely you have a phone where attackers can install malware that, for instance, constantly clicks ads in the background, or a home security camera connected to the internet that hackers can easily turn into a tool that they remotely utilize for attacking other targets. Every computer, phone and connected device must be protected.

Cybersecurity is your responsibility.

At work and at home, security is everyone’s responsibility. Although organizations may outsource complex security projects to consultants and families may ask help from a neighbor who happens to have a reputation as a computer wiz, the person who pushes the buttons, clicks the links, and downloads files to the device makes the final decisions what happens.

Security is typically built in, but not turned on in products.

In recent years, the vast number of security incidents have convinced responsible product manufacturers and software developers to include fundamental security features in their products. There was a time when vendors didn’t want to turn on security features because they feared customers would complain the products are difficult to use. Now, the tide is turning. Responsible vendors ship products with basic security features switched on, and enforce users to select reasonable passwords.

Attachments and links included in email messages are the most likely danger points.

Attachments included in email messages are the easiest way for cyber criminals to deliver harmful programs to target devices. If you click on a malicious attachment, it installs itself on your PC or phone and then it does whatever it wants. Clicking unknown links included in messages (it can be a Facebook, Whatsapp, any message) can have the same effect. How do you know if an attachment or link is dangerous? You have to assume it is. If you didn’t ask to get a file, don’t open it. If you didn’t ask for a link, make sure you know where it is pointing before you follow it.

Beware of social engineering scams as well. If “Microsoft support” calls you and instructs you to download a program to your PC or phone, don’t do it.

Understand the risks and exposure.

When an organization opens its internal network for remote workers, it makes a lot of sense to do so. From security point of view it can be done, but the risks must be carefully assessed and managed. If a family wants to install security cameras inside and outside their house, and access them on their phones while they enjoy a weekend at a resort, it is perfectly all right after the security risks are evaluated and managed.

Focus on your critical data.

All major cyber security breaches have been serious incidents because criminals have stolen millions or billions of records of data from large databases. Ransomware crime where criminals encrypt organization’s data and unlock it after a ransom has been paid is a successful scheme because the victims aren’t sure if they can recover all the data quickly enough to continue operating normally. Ensuring critical data is backed up and rapidly recoverable is the cheapest cyber insurance.

Always backup your critical data to a storage that is not connected to the internet.

One of the recommended data backup strategies is called 3-2-1. It means having three copies of all data. Two copies are stored on different types of storage devices as the original. One of these copies is stored off site, maybe in a cloud storage or in another safe place.

There is no delete button in cyberspace.

If you have a computer or phone that is not connected to the internet, you can remove a file from the device and it really disappears forever (without going to the technical details how someone who has physical access to the device may be able to recover the file). Since practically all devices are connected to the internet and we interact in the cyberspace, the situation is radically different today. Our photos and messages are copied from node to node until they reach their destinations. There is no way knowing if the messages are saved while in transit, or if intelligence agencies are monitoring the messages. It is possible to hide the content of those messages by encrypting them but copies still exist.

If you delete a message for instance, on Facebook or let it auto-destruct on Snapchat, it will be hidden from you, but it is not deleted. It stays in the social media service’s database. In an unfortunate case when hackers manage to break in to the database, all its secrets may become public information.

Detection via monitoring is the key to security.

A key lesson from the Cyber Crisis book:
“You cannot prevent all attacks.”

Which leads to conclusion:
“Prevention is ideal, but detection is a must.”

It means that you should do everything you can to prevent attacks, but since 100% success rate is impossible for everyone, you must have attack monitoring in place all the time, for all systems.

Always act under the premise that you are compromised.

Another key lesson from Eric Cole:
“You are probably already compromised, and if you are not seeing the signs of compromise, it’s not because it didn’t happen, but because you are not looking in the right place.”

A few years ago, our small business conducted a cyber security planning project that started from the assumption that we were hacked. We worked backwards from there. The project was the most valuable security exercise participants has so far contributed to. It changed the way we think about security, and how it became part of our normal daily work.

Leave a Reply

Your email address will not be published. Required fields are marked *