So much is at stake with your personal liability and livelihood.  Because of that, I offer yet another IT blog discussing security. I am sure you see many posts in this genre, but keeping security top of mind is important, so please read on.

On October 5, 2014, CBSNewsreported FBI Director James Comey saying, "There are two kinds of big companies in the United States. There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese" (Pelley, 2014).

Wow!  So that’s it?  Cash in our chips and call it a game well played?  No! Of course not!  IT security is not a one-time deal where we have already won, or we have already lost.  IT security is not a project that got funded last fiscal year and wrapped up before the budget dried up. Security is a matter of vigilance, continuous review, and a critical examination. So what mindset do we need to maintain to protect our investments and livelihoods?

A Value Mindset = What, Exactly, Are My Crown Jewels?

My high school textbooks describe the foundation of an economic engine as three things: people, raw materials, and capital. That describes a manufacturing based economy or the old economy. The new economy is a hybrid. It contains all the attributes of ancient agrarian, past century manufacturing, and our modern service economies. Critical elements in new hybrid economy models include clients, workers, and the data that ties them together.  With this, I state confidently, that it is your data that is the crown jewel of an enterprise.

A Proactive Mindset = Harden the Target and Watch the Gate.

There are many experts in the IT security field, and I recommend getting to know a few. I offer you four topics that transcend specific technologies or security tools.

  1. Design the security right into the technology infrastructure. For example, Network Address Translation [NAT] is a simple and effective way to hinder network penetration.
  1. System patching. It may seem straight forward if you are seeing that Microsoft is patching Windows every month. But consider all the Adobe and JavaRuntimeEngine updates that come out continuously. Without patching these, you are leaving many doors unlocked. Each software title on your computers may need patching.
  1. Intrusion testing is a good investment. If you haven’t checked the back door, then how do you know that it is still locked?
  1. Worker education cannot be assumed. Ready your team. This is not a drill. Regular reminders and ongoing education for the people touching your crown jewels are essential. Social engineering attacks may seem elementary, but they are effective and can be thwarted only with knowledge

An Operational Mindset = Tools and Techniques Ready for Real Time Threats.

Every day you have a business to run, and it doesn’t seem reasonable to be constantly worried about what might happen. But, don’t cop-out and say, “It’s all just too much to tackle.” Keeping good IT security checks and balances is like safeguards you put in place with your accountant on every financial transaction you execute. Here is a high-level roadmap.

  1. Identify and understand the vectors that the bad guys can use to get to the crown jewels. The identification includes all technology, processes, and procedures that are in orbit around your cookie jar of critical data.
  1. Engage in a critical review, and don’t be afraid of what you might find. I recommend getting outside help for this part. A fresh set of eyes keeps you from being blinded by the obvious.
  1. Make the revisions required to lock it all down. You must bake in the fortifications needed.
  1. Do this each time you change technology, processes, or procedures. Again, security isn’t an afterthought. It is part of the decisions you make up front.

Call to Action

It is easy to put off until tomorrow what you can do the day after.  But you know that rust never sleeps.  So I offer you a couple of next steps to take today.

  1. Subscribe to a good blog on security and check it often. Keep yourself educated. Reading security content will motivate you to do more.
  1. Assign someone to lead security initiatives. Provide them with the authorization to improve what needs attention. I recommend refreshing that position regularly to get new eyes on the prize.
  1. Keep in mind the emerging technologies like mobile devices. For instance, the Android StageFright vulnerability has many mobile workers watching their back.  As of today, this issue is unpatched.  So remember to turn off Auto-MMS downloads.

Final thought: Remember that you can delegate tasks, but you cannot delegate responsibility.  Own it!

Thank you for reading, and let me leave you with this. I am a project manager. I work or AfidenceIT and I like to help.

Final Thought: Remember that you can delegate tasks, but you cannot delegate responsibility. Own it!

Bill Cilley

Project Manager | AfidenceIT

References

Pelley, S. (Ed.). (2014, October 5). FBI Director James Comey on threat of ISIS, cybercrime. Retrieved October 23, 2015, from http://www.cbsnews.com/news/fbi-director-james-comey-on-threat-of-isis-cybercrime/