By Michael Tanji
There are a lot of cybersecurity principles and concepts. People have written books and papers that address them in excruciating detail. We are not going to do that here. For one thing, you do not have the time. For another, you are not in the security business, you are just in business. You do not need to be an expert; you need to be conversant. What follows are some core concepts you should be familiar with in order to understand what it is that cybersecurity proponents are trying to do and why certain recommendations are being made. GCA’s Cybersecurity Toolkit for Small Business serves as a resource for useful tools and information, and each of the toolboxes it contains provides you with different means of improving your cybersecurity.
Cybersecurity Is Not Absolute
There is no end state where your enterprise is completely secure. Nothing is hacker proof. Nothing guarantees 100 percent success in combating threats. Anyone who says they can achieve perfection in cybersecurity is lying. Some solutions get close, but they usually require trade-offs that you are likely to find unacceptable. The goal you should set for yourself is secure enough based on how you do business, what your threat model is, and what it is you are trying to protect. A good way to start is by taking steps to prevent falling victim to phishing attacks, which many small businesses succumb to every year. The Prevent Phishing and Viruses Toolbox in the GCA toolkit provides resources for guarding your business against these types of attacks.
Know What You Are Protecting
You cannot mount an effective defense if you do not know what it is you are trying to keep safe. “The company,” yes, but what does that mean? Do you know how many computers you really have? Do you know where all your data is? Understand that without a comprehensive understanding of what it is you are trying to protect, you are likely to waste a lot of time, money, and effort building something you do not need. The Know What You Have Toolbox helps you identify all your devices so you can better protect them.
A Multi-Layered Defense
A castle used to be a popular metaphor for how to defend an enterprise. It has fallen out of favor because people like to pick nits about aspects of the castle and not the overall principle. A castle is not effective because of one feature alone. Castles have thick, high walls, but they also have a moat. They are located on high ground. The layout of the buildings and roads outside the castle are designed to slow advancing troops. Castles come under siege, and sometimes they fall, but not without extracting a high price from the attackers. Using multi-factor authentication is a good way to fortify your castle, and the Beyond Simple Passwords Toolbox gives you more information on how to set it up across your devices.
The Bad Guys Get a Vote
Building an effective defense requires a specific mindset. Unfortunately, as a defender you can let that mindset cloud your judgment. It is easy to get caught up on building a specific defense against a given threat or class of threats, only to be exploited by something you did not think of, or worse: something widely known and trivial to thwart. Taking the time to put yourself in the shoes of the opposition can give you a new perspective on what an effective defense should be. One such defense that serves as a powerful means of protection is to keep your systems updated, and the Update Your Defenses Toolbox helps you do just that.
Computers, Internet connectivity, and computer memory are cheap. It is tempting to buy more than you need, store everything you can, and give everyone the permissions they need to do whatever they want because it might make them more effective or reduce your need for human capital. Every one of those practices is a potential vulnerability waiting to be exploited. One way in which hackers can exploit this is by infecting your systems with ransomware, demanding you pay exorbitant sums of money to get your data back. The Defend Against Ransomware Toolbox helps you take appropriate steps to minimize your chances of falling victim to this type of attack.
Take Advantage of Home Field
There is an oft-repeated phrase in cybersecurity circles that goes something like this: the bad guys only have to be right once; the good guys have to be right every time. But in a well-defended enterprise that old chestnut simply is not true. In a well-defended enterprise, an attacker has to be right every time, and in series, in order to be successful. Every step an intruder takes is a potential signal to you that something is amiss. Your enterprise is your turf, and no one should know it better than you do. And in order to protect your turf, you can start out by protecting your brand’s name and email address. The Protect Your Email and Reputation Toolbox provides you with information about DMARC, an email authentication and reporting protocol.
Too many efforts to fix cybersecurity problems are focused on symptoms, not root causes, which is a great way to go broke while chasing your tail. Understanding the essence of these issues will help you understand why specific recommendations are being made over others and can help you assess your options when faced with a seemingly endless series of choices presented by legions of indistinguishable vendors and cybersecurity celebrities. If you are trying to understand the issues related to cybersecurity, the aforementioned principles and concepts are a starting place. They are not all-encompassing, but they form a sound foundation upon which you can build a robust defense and guard against a range of threats.