“Doing security right has a lot less to do with
having the right security tools in place… and a lot more to do with having the
right culture,” says cybersecurity journalist Brian Krebs in a recent interview
with The Doyle Report. “The
best way to be secure is to assume you’re already compromised.”
Krebs, the reporter who broke the story on Target’s massive data breach, writes the investigative blog KrebsonSecurity. And during his work, he tells Doyle, he often discovers companies have
been hacked before they do – or, at least, before they acknowledge the data
loss in public. How? By trolling the Dark Web, where stolen data is put up for sale by cybercriminals.
So, Krebs is aghast at the number of
organizations in denial about their susceptibility to data breaches. The key to a great defense against cyber
attacks, he believes, is first accepting your network’s vulnerabilities and then
nurturing a company culture that embraces “prevention, cure and openness,” with
a heavy emphasis on education and training for staff members. Because study after
study demonstrates that humans -- not technology -- failures are responsible for most breaches.
Speaking at a recent cybersecurity
conference, Krebs offered seven points for business leaders seeking to fortify
their organizations:
- Assume
you are compromised
- Think
beyond compliance to achieve true security
- Know
your employees even if it means monitoring their behavior
- Invest
in two-factor authentication for partners and employees, especially on
VPNs
- Hire
and foster more cybersecurity talent
(Bloggers Note: This should apply inside and
outside the boundaries of your firm – i.e., retain the support of a skilled Managed Services Provider.) - Have
regular fire drills to test your technology and, moreover, your business
processes
- When
compromised, secure what you have instead of reflexively adding more of
everything, which will increase your attack surface
Inspired by Krebs’ counsel, we searched for
more tips on establishing a cybersecure culture. We found an article by Baseline magazine
proclaiming five “deadly sins” that increase the risk of a data breach. Here’s
a digest:
- Apathy – Poor password practices erode cyber-defenses. Baseline shares the results of a recent survey of IT professionals
that highlights the worst password practices:
- Sharing
passwords with colleagues
- Failing
to change default passwords on mobile devices
- Setting
weak passwords – e.g., “12345”
- Greed -- The IT pros surveyed believe allowing users to act as administrators
of their own machines is the biggest threat, followed by the company not regulating
applications on users' machines. Both issues can be addressed by a sound
cybersecurity policy.
- Pride – To Krebs’ point, assuming your systems are unbreakable is delusional
in today’s digital environment. Better to take a humble posture and perform
every little software patch to every single device as soon as available.
- Ignorance – Audit systems and software as often as possible. Cybercrooks move at
internet speed.
- Envy – Rushing into the cloud because the competition already is there? Pause
and consider: