2022-07-01 00:00:00
The one and only cybersecurity rule for small businesses
If you haven't been hacked yet, sooner or later you will be. This uncomfortable realization has been stuck in my head ever since I read Nicole Perlroth's book This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. The book describes the global trade of the most wanted computer vulnerabilities, known as zero-days, that enable both criminals and national intelligence officers to break into computers almost when and where they want. What can an individual or a small and mid-size business do to protect themselves?
The ugly truth is that you can do something, but some day someone will break into your computer network or mobile devices. A recent survey by a cybersecurity firm asked about ransomware incidents in mid-size organizations across the world, and discovered that 66% of them had been ransomware victims in 2021. If the high percentage of successful attacks feels disturbing, another recent study is even more disturbing: 85% of organizations admitted they had experienced an IT related break-in during 2021.
Law enforcement is after the criminals, but cybercrime has become a massive new industry with organized groups that may operate like enterprises. A recent global field operation by Interpol depicts the scale of the cybercrime problem: 2000 arrests in 1770 locations around the world with 4000 bank accounts frozen in a single operation.
The one cybersecurity rule that sets the scene is:
Assume you have been hacked.
It is the starting point. When our small business started working from this point backwards towards the ideal level of cyber security, it was easy to see how carefree we were. During the process, we changed many practices especially with mobile devices, but we also realized what was the most valuable asset. Our data. It had to be managed more carefully, ensuring that no matter what happens we have access to it.
In addition to the Nicole Perlroth's book, good sources of inspiration are the Five Laws of Cybersecurity and Krebs's Three Basic Rules for Online Safety.
Both of these rule sets have succeeded in nailing a few key points that every small business owner and individual can understand and implement for personal computing or business environment. Cyber security in large scale is complex, very technical, and often outsourced to dedicated professionals, but the following rules are something that everyone can follow.
Five laws of cybersecurity:
- Treat everything like it’s vulnerable.
- Assume people won’t follow the rules.
- If you don’t need something, get rid of it.
- Document everything and audit regularly.
- Plan for failure.
If anything describes these five laws in a single thought, it is the traditional Murphy's Law: "Whatever can go wrong will go wrong". As the statistics from recent studies indicate, it really is the case with cyber security at the moment. Of course, these five laws are not the only ones. For instance, Nick Espinosa's Tedx talk introduces excellent points that make you pause and think seriously about security.
Krebs’s Three Basic Rules for Online Safety:
- If you didn’t go looking for it, don’t install it!
- If you installed it, update it.
- If you no longer need it, remove it.
These three basic rules are excellent advice for every computer and phone user. Especially, if someone you don't know wants you to do something on your computer or phone.
Sure, the simple strategy I have presented here is a pessimistic view on the world of computer security, but the point is this: it is eyeopening to build a scenario where your small business network or personal computing system has been hijacked or completely shutdown by adversaries. How do you recover?
