When it Comes to Cybersecurity, You DO Have to Sweat the Small Stuff

A: I use Facebook as my first example – and I constantly evangelize about this. You see it all the time – little questions and surveys, polls and “harmless asks” – “Hey, what’s your favorite color? Hey, what was your first car? When you were born, what great event happened?” Look at all the information you just gave away about yourself. There’s no protection of that and turning people’s data into a commodity is the way everything’s going. We’re not a society that makes things, we’re becoming a society that buys things and sells data.

A: The protection of that data or the privacy of that data doesn’t seem to be paramount. If your insurance provider or online retailer gave away your information, say your birthday, you’d be furious. Yet when a Facebook post says use this chart of months and days to find your cool movie star name based on your birthday, you readily do it and type in the name as a reply. People don’t necessarily see security and privacy going together, but they do. If you don’t want your private data to become public knowledge, you must secure it and audit it effectively.

A: Well, 90 percent of breaches are due to human error. So, you clicked on something, you did something, you gave some piece of information away. With enough information, there are systems that can predict – within three keystrokes – what you’re going to do next. All because of the information you gave away.

With the information out there, I know where you work, I know what you do, I know your email address is probably your login, I can probably guess what your password is. So, the information you give away now may be the determinant of what happens to you later.

A: Foregoing routine maintenance. I’ve worked with a lot of organizations, and I see it all the time. Nobody wants to patch. Nobody wants to reboot. Nobody wants the downtime. Patches are free. If you paid for your support plan, why are you not putting these in? We see companies that don’t encrypt. They don’t do any of the things they know they need to be doing. They have policies and procedures; they just don’t follow them or audit them effectively.

A: A big part of it is information overload. When you’re inundated with information, it’s easy to overlook some of the basic things that you should have done. I was touring a SOC (security operations center), and I saw some red flashing lights. That’s bad, right? So, I ask, “What dos that mean?” “Oh, it says that somebody has a virus on their computer. It comes up all the time. It’s just a false positive.” We get lulled into not doing anything. That’s what happens. Security is a 60/40 paradigm. That 40 percent is the hardware and software that you bought, this new shiny thing that’s supposed to do all this work. The 60 percent is what it’s telling you. Do you pay attention to it? Another major thing is to ensure alignment of goals between IT and cybersecurity.

A: It happens in some of the most innocuous, small ways that you just can’t believe. As I said, 90 percent of breaches come from human error. There’s just so many small, little things that lead to the big thing. Everyone should assume breach. You should already assume somebody is in your systems, because they are. You’ve got internal users that might be giving away your stuff. You’ve got external people that are trying to get in every day. Security technologists need to be right every time. Hackers need to be right once.

A: To put in a plug for something that I’ve been working on, is automation for security. For example, if somebody tried to log in three times in one second, obviously it’s not your user. They can’t log in that fast. Shut that ID down. We’re talking about a security wingman. It’s the resource that’s there all day, even if something breaks at a shift change, or overnight, or when you’re on vacation. We’re talking about technology that watches vigilantly all the time, when you can’t.