Less Independence Day, more Groundhog Day: Building a good cyber defense routine
By Tony Sager, Senior Vice President, and Chief Evangelist
Although it may seem fast-paced and glamorous, the cyber threat landscape is actually more populated with simple, garden-variety attacks than sophisticated and exotic techniques. With free tools and kits, it’s become easier than ever to engage in phishing, cross-site scripting, and other malicious activities. When we imagine all cybercriminals as masterminds using bleeding-edge tools, we often take the wrong approach by focusing on rare threats and unlikely circumstances. By shifting our perspective from the Hollywood-induced imagery of Hackers and Mr. Robot, we can begin to see that effective cybersecurity is more about building good habits, practices, and routines – a la Groundhog Day – than having the latest, most advanced defense tools and services. So, what does a good cybersecurity routine look like?
First, take a look at your organization’s technical environment. Do you know how many devices the organization is responsible for? What about BYOD (Bring Your Own Device) cell phones, printers, and other network devices?
This most basic question – What do I own? – is exactly where the CIS Controls start. The CIS Controls are a prioritized list of 20 best practices to help any organization improve its cyber defenses. The CIS Controls are developed by a volunteer community of cybersecurity and subject matter experts and derived from knowledge about actual cyber-attack patterns and methods. From CIS Control 1, which encourages developing an inventory of hardware, the CIS Controls tackle major security concerns such as configuration management, boundary defense, application software security, and more. Depending on the size of the organization and the complexity of its network, successfully implementing all 20 CIS Controls can take over a year – however, implementing just the first five can dramatically improve any organization’s security posture.
No matter which cybersecurity framework or set of recommendations you choose to implement, you’ll want to be sure it includes concepts like limiting the use of administrative privileges, regularly updating (patching) software, and incident response management. Keep in mind that maintaining cybersecurity posture is a routine – that is, something which must be tended to regularly in order to retain its effectiveness.
A group effort
Implementing a cybersecurity routine is a group effort that typically requires buy-in from across the organization. Consider that first question again: What are the devices my organization is responsible for? In order to create an inventory of devices, you’ll need to work across departments to create a record of computers, phones, and any other technical devices like routers or network switches. New policies may also need to be implemented, such as checking out devices from IT in order to maintain a record of device ownership. This is where getting executive buy-in can really help the process. Not every policy which helps improve your organization’s cybersecurity will be popular – for example, properly implementing CIS Control 2 prevents most employees from installing unknown or unauthorized software onto their machines. However, these policies and processes will be important for safeguarding the entire organization’s network and data.
Check out the CIS Controls Implementation Guide for Small- and Medium-Sized Enterprises
Planning for the future
As you begin to implement new cybersecurity procedures, tools, and processes, consider your organization’s growth. Will the solutions you are implementing today still work tomorrow? Let’s return to CIS Control 1: Inventory of Authorized and Unauthorized Devices. For very small companies, implementing this CIS Control might be as simple as counting technical devices and maintaining a spreadsheet. For larger companies, asset management tools and automated solutions may be necessary.
In addition to scaling for your organization’s size, you’ll want to consider the way people conduct work. Is it remotely, via laptops or VMs? Do some users need specialized software? These sorts of questions will help determine which specific tools, policies, and procedures can help your organization meet its cyber defense goals and establish effective cybersecurity routines.
Less rocket science, more routine maintenance
In conclusion, success lies in ignoring the razzle-dazzle of Hollywood cyber drama and keeping your eye on the day-to-day work that yields real results. However, like any good movie, your cyber story can have a real hero – and a happy ending – by focusing your energies and organization on routine best practices like the CIS Controls.