I’m sure you’re familiar with the phrase “there’s a first time for everything!” Well, I can think of at least 300 different things I never want to have a first for, like:
1. Crash a canoe on the Cahulawassee River. (You’ve seen the movie ‘Deliverance’, right?)
2. Walk barefoot uphill both ways (as my Grandparents had to).
3. Manage former President Trumps Twitter feed.
4. Check my bank account using open Wi-Fi in North Korea.
5. I’ll stop there…
I recently added several things to my list of ‘never want to’ at the Security IT Roundtable we hosted for C-Level executives last week. Learning that YouTube can walk anyone through tactics for malware distribution made me just about quit using the internet.
According to av-test.org, there are over 450,000 new malicious programs every day. Now add that to the 40,700 search results on how to spread malware and you’ve got yourself an eventful weekend in mom’s basement.* To be fair, not all hackers are looking to ruin your life, some are just interested in the practical joke side of things.
*Only unethical hackers live in their mom’s basement
To make my skin crawl just a little bit more, one of the presenters at our Security Roundtable event showed the group a real-time demonstration of how he could control the Wi-Fi traffic using a specific, readily available (unfortunately), hacking device. The takeaway here is that the tools exist to capture any information you put across a public or open Wi-Fi.
Some may think, “No big deal, I don’t use public Wi-Fi.” It’s not just open Wi-Fi – any device that connects to these unsecure networks and then re-enters your business could be carrying malware right in the front door.
What does this mean when you are traveling or frequenting your favorite coffee shops with your business device? Should we be nervously checking for Mr. Robot sitting in the corner? Unfortunately, no single magic formula exists for cybersecurity. The best defense an organization can implement to stop malicious attacks is a cybersecurity business plan with multi-layered protection that fits their specific organization. One size does not fit all.
Here are five steps to take when developing your cybersecurity business plan:
1. The conversation starts with your IT team
Company management and IT should be engaging in discussions about cybersecurity strategy and what is being done to protect their company. Targeted questions are key, but think interview vs. interrogation. Both involve questions and seeking clarity but there’s a difference in motive. Interviews get people to open up so learning happens. Interrogations assume blame and put people on the defensive.
If you’re the manager asking questions, set the stage by being candid about the importance of the IT staff’s role in keeping the company safe and your desire to understand what is being done. This approach will uncover ways that you can work together to make your IT security better. If you were on the IT side, this would be a great time to let management know all that you are doing to protect the company’s interests.
Here’s a great set of Security Conversation Starters CCB has put together to help our customers have those deeper discussions. Ambiguity will fuel annoyance and insecurity, so clearly state your intent and objectives to disarm conversational landmines. Frame the questions specifically around the information needed and be prepared to share and listen sincerely.
2. Hire an intimidating bouncer and a flexible bodyguard
I’m not talking earpieces, overcompensating muscles and extra small shirts. I’m talking about firewalls, anti-virus, and anti-malware/spyware on all computers: security at the front entrance and protection wherever you go. If you aren’t sure how things are going in this area, I strongly encourage you to go back to step #1 and revisit that conversation.
You can’t build a secure line of defense if you don’t have current technology that’s properly configured to fit your organizational needs, exploring everything from cloud-based firewalls to artificial intelligence solutions that alert you when malware has mutated and become active. Once you’ve protected these points, you can begin looking at where your organization is most vulnerable and create a plan for everything in-between. Which brings us to step #3 of our cybersecurity business plan…
3. Assume the worst-case scenario and work backwards
I’ve heard that up to 60% of small business that experience a data breech will close within six months! Understanding where your company is susceptible is important, because lack of action can be devastating. So let’s get the juices flowing with a few things that you hope never actually happen in your business:
- Accounting receives a realistic-looking email from the CEO asking for $165,000 to be transferred to an account ASAP
- A sales rep returns from a business trip with a countdown on his laptop and a demand for $50,000
- An employee on lunch, excited about a dream vacation, clicks on an email link for a free cruise to the Bahamas that comes with a side of malware
One tool that would help in the last scenario is one our IT department uses at CCB – a KnowBe4 pop-up that makes you re-think before proceeding with a link. Below is a screenshot of what came up when I was pulling up the malware video on YouTube. (I sent this to one of our IT guys in a Teams message with no context to be funny… I don’t recommend doing that.)
After fleshing out the scenarios you decide to use, ask these questions:
1. What would need to be true in order to prevent this from happening in our company?
2. Are we prepared if this were to happen to us? If not, what needs to change?
Sometimes knowing where to go next is a challenge for companies, that’s why CCB developed our free Security Health Check. It’s not an assessment of your environment, but it’s a comprehensive first discussion. In just 30 minutes it can reveal areas that need addressing along with possible solutions you may not be utilizing. Contact us to set up your free security health check.
4. Think like a pirate, not a pioneer
Don’t follow the analogy too far and miss my relatively simple point: You don’t need to blaze a new trail for your cybersecurity business plan if you can find what’s working and take it for yourself.
- Talk to similarly positioned people in your industry and ask them what cybersecurity strategies have worked or not worked for their IT security.
- Attend security-focused events, where you can ask questions, openly discuss concerns, and see solutions in action.
- Listen to industry-related podcasts or engage on forums to find out what’s working and what to avoid.
Finding multiple ways to stay connected to the industry is important because the security landscape is continually changing, and you need to be well informed.
5. Train, test, then repeat
The Leaky Bucket Principle applies here. Whatever IT trains us on or implements internally will slowly leak out of our head as more information is poured in. It’s not intentional on anyone’s part but it happens, so our IT team tests our employees periodically by sending out phishing emails to see how we respond. Then if needed, they gently repeat what they’ve already explained and test us again.
Do your users know:
- If the wording in an email seems off, to double-check the address from the sender?
- To hover over links before clicking?
- If they don’t know the sender, it’s best to assume the attachment will ruin their life upon opening?!
- Using MiFi for travel will help them avoid hotel and coffee shop Wi-Fi?
Be sure that end user security training and testing are part of your cybersecurity business plan to secure your environment.
Want more help learning about security solutions?
CCB has a team of experienced engineers who enjoy working alongside organizations and customizing business security solutions. Whether you’ve got 30 locations or one part-time IT person, we can help. (And don’t forget to request your Security Health Check.)