All too often these days, the news headlines call attention to yet another company security breach with the loss of their customers’ data. Studying these incidents can help us learn what to do – and what not to do – to prevent pitfalls in our businesses.
These learnings can apply across the board – no matter whether your business is large or small – as studies have repeatedly shown that the challenges facing businesses are identical. And while larger firms may have dedicated security resources, they can suffer from a lot of inertia when it comes to implementing change.
When seeking to protect data, a large number of companies use one of the many security frameworks to help identify the key steps to take. Whether you look at the Center for Information Security (CIS) top 20, National Institute of Security and Technology (NIST) cybersecurity framework or Australian Cyber Security Centre (ACSC) Essential Eight, all the frameworks broadly agree on the essential measures. In this blog I’m going to cover the top 3: Inventory, Patching and Staff education.
Inventory as a First Step in Cybersecurity
The first step towards cybersecurity has a strong correlation with good ITAM practice – know your inventory.
Having a solid understanding of your IT estate means you know what you need to protect and have visibility of the potential risks. For example, tracking the old versions of operating systems means that you know whether you have systems which no longer receive security updates (e.g. Windows 2003). This tells you how and where to implement the next essential step: patching your technology. And without proper inventory, organizations can be woefully exposed to risk.
Patching: A Vital Slog
It is hard to emphasize enough just how important patching is. Unfortunately, it is a never-ending cycle of dull work which rarely leads to anyone in the team being rewarded or recognized for completing it. The continual release of new patches makes it very hard to obtain a sense of achievement, but getting it right is absolutely critical.
Just ask Equifax, who suffered the loss of personally identifiable information (PII) for 148 million people, primarily due to a lack of patching. They were notified of a vulnerability, they communicated it internally, and even held meetings about the importance of patching it, but they didn’t actually get the work done. To ensure patching has been completed, you need checks and balances in place. This might require the use of Microsoft SCCM or a SAM inventory tool.
Educated Employees are Secure Employees
Once you know what you are protecting and that it is properly patched, your next area of focus has to be the last line of defence at every business – your employees.
Many companies try to tackle this with security awareness training and IT policies, but such training often fails to achieve the results needed. Successful security education uses an approach that recognizes human behaviour and works with how we behave.
People respond more strongly to positive messages – “40% of our staff did not click the link in our phishing test” works better than highlighting those who did. We also respond well to social pressure, e.g. “60% of staff in finance avoided the banking trojan in the email attachment.”
We also need to focus on making the secure approach the easiest one – everyone is busy so make it quicker to do the right thing, and people will make the right decision. A good example would be implementing a Single Sign On (SSO) solution like Azure Active Directory or Okta to reduce the number of separate passwords needed by employees. This makes it easier for staff to sign-in to applications while providing IT a tool for strong authentication, password audits and sign-on logs.
To summarize, the essence of good security comes back to the basics:
- Build a strong inventory of your assets
- Pursue your patching (and recognise the IT staff involved), and
- Focus on educating your staff using positive psychology
In doing so, you will reduce the chance of your company falling victim to a data breach. If you want to learn more about why strengthening the foundation of your cybersecurity program is important and how IT asset management can help, be sure to check out our newest webinar on-demand.