When it Comes to Cybersecurity, You DO Have to Sweat the Small Stuff

August 20, 2022
When it Comes to Cybersecurity, You DO Have to Sweat the Small Stuff

With breaches and ransomware common topics in today’s news, we conducted a short Q&A with Mike Hahn, Prolifics Head of Security Practice.

Q: Mike, when people first ask you about cybersecurity, what’s our initial response?

A: I use Facebook as my first example – and I constantly evangelize about this. You see it all the time – little questions and surveys, polls and “harmless asks” – “Hey, what’s your favorite color? Hey, what was your first car? When you were born, what great event happened?” Look at all the information you just gave away about yourself. There’s no protection of that and turning people’s data into a commodity is the way everything’s going. We’re not a society that makes things, we’re becoming a society that buys things and sells data.

Q: So, people just give out information too easily?

A: The protection of that data or the privacy of that data doesn’t seem to be paramount. If your insurance provider or online retailer gave away your information, say your birthday, you’d be furious. Yet when a Facebook post says use this chart of months and days to find your cool movie star name based on your birthday, you readily do it and type in the name as a reply. People don’t necessarily see security and privacy going together, but they do. If you don’t want your private data to become public knowledge, you must secure it and audit it effectively.

Q: How do things like that translate into corporate security?

A: Well, 90 percent of breaches are due to human error. So, you clicked on something, you did something, you gave some piece of information away. With enough information, there are systems that can predict – within three keystrokes – what you’re going to do next. All because of the information you gave away.

With the information out there, I know where you work, I know what you do, I know your email address is probably your login, I can probably guess what your password is. So, the information you give away now may be the determinant of what happens to you later.

Q: Keeping your personal information private seems so basic. What other basic miscues are going on out there?

A: Foregoing routine maintenance. I’ve worked with a lot of organizations, and I see it all the time. Nobody wants to patch. Nobody wants to reboot. Nobody wants the downtime. Patches are free. If you paid for your support plan, why are you not putting these in? We see companies that don’t encrypt. They don’t do any of the things they know they need to be doing. They have policies and procedures; they just don’t follow them or audit them effectively.

Q: Why is it happening like that?

A: A big part of it is information overload. When you’re inundated with information, it’s easy to overlook some of the basic things that you should have done. I was touring a SOC (security operations center), and I saw some red flashing lights. That’s bad, right? So, I ask, “What dos that mean?” “Oh, it says that somebody has a virus on their computer. It comes up all the time. It’s just a false positive.” We get lulled into not doing anything. That’s what happens. Security is a 60/40 paradigm. That 40 percent is the hardware and software that you bought, this new shiny thing that’s supposed to do all this work. The 60 percent is what it’s telling you. Do you pay attention to it? Another major thing is to ensure alignment of goals between IT and cybersecurity.

Q: So, it’s not like these sophisticated, complicated hacker scenes you see in the movies?

A: It happens in some of the most innocuous, small ways that you just can’t believe. As I said, 90 percent of breaches come from human error. There’s just so many small, little things that lead to the big thing. Everyone should assume breach. You should already assume somebody is in your systems, because they are. You’ve got internal users that might be giving away your stuff. You’ve got external people that are trying to get in every day. Security technologists need to be right every time. Hackers need to be right once.

Q: Any answers?

A: To put in a plug for something that I’ve been working on, is automation for security. For example, if somebody tried to log in three times in one second, obviously it’s not your user. They can’t log in that fast. Shut that ID down. We’re talking about a security wingman. It’s the resource that’s there all day, even if something breaks at a shift change, or overnight, or when you’re on vacation. We’re talking about technology that watches vigilantly all the time, when you can’t.

Join Mike Hahn in the Prolifics Innovation Sandbox

The Sandbox kicks off again – live – on Thursday, Aug. 5 at 10 a.m. ET with “Top Guns of Cybersecurity.” Our team shares how to successfully fly past the “bogies” in today’s unfriendly skies of security threats. We’ll explore the right equipment to move your company to number one on the security runway – automation, cloud solutions and more. Cybersecurity experts Michael Hahn (Prolifics) and Mark Neumann (IBM), and our captain, Kirsten Craft (Prolifics) are your crew for this incredible journey. Don’t miss the flight! For more info and to register, go here.

Michael Hahn, Head of Security Practice – Prolifics

Michael Hahn is Head of Security Practice for Prolifics, with more than 20 years of cybersecurity advisory and consulting experience to fortune 500 and government entities. As a technology leader and innovator, Michael has a track record of partnering with clients to enable unique, resilient and secure solutions within the IT space.