The Cost of Security: Changing The Way We Think

[00:00:42.190] – Jason

But don’t say that.

[00:00:42.900] – Steve

I know.

[00:00:43.890] – Jason

Let me fill in the gap after that.

[00:00:45.890] – Steve

I’ll just say it again.

[00:00:47.680] – Jason

Well, it’s too late now. Now we have to start from the beginning. We have to do this all over. [crosstalk 00:00:49]

[00:00:53.900] – Steve

The intro was fine.

[00:00:55.300] – Jason

Well, but now it’s not. I have to redo it.

[00:00:57.680] – Steve

Snip? Yes? No? Okay. I’m going to pick up where I left off.

[00:01:00.890] – Female

We can snip wherever we need to. So don’t worry if you make a mistake.

[00:01:05.400] – Steve

All right.

[00:01:05.400] – Female

Also, human. If you make a mistake too, this is conversational, so if you carried on, you’re like, “Well, that doesn’t make any sense,” let me… Honestly, we could have left that in there.

[00:01:14.670] – Jason

Right.

[00:01:15.100] – Steve

Oh, that’s right.

[00:01:15.590] – Female

So carry on however you’d like to… you see fit.

[00:01:21.910] – Jason

So I’ll just start from the beginning, and we’ll go from there because I prefer to. I didn’t like my beginning that much anyway.

[00:01:28.240] – Steve

I did. It was pretty good.

[00:01:28.640] – Female

Your beginning was fantastic.

[00:01:30.400] – Steve

No. That was good.

[00:01:31.620] – Female

Yeah.

[00:01:31.670] – Jason

Okay, so then we’ll grab the beginning and I’ll say… So Steve, let me quickly just throw it over to you as a starter. What is cybersecurity?

[00:01:40.360] – Steve

Cybersecurity as a basic level is really just the defense of your data, your reputation, and anything that you might consider IT resources against attack.

[00:01:51.860] – Jason

So I mean, essentially, just risk mitigation? So when I was thinking about this over the weekend, I’m a cyclist, and really, when I think about, do I want to go for a ride on the road? It’s all about risk mitigation, right? I put a blinker on, I ride backroads. Sure, I could get hit, but the reality is I’m safer having done those basic precautions than if I didn’t do them. Cybersecurity, I picture basically the same thing.

[00:02:20.460] – Steve

It’s true. I mean, certainly from an attack standpoint, you’re trying to avoid the car when you’re riding a bike. But I think that cybersecurity is a bit more actionable relative to things that I can do. The car, I can’t control. It might swerve toward me. But if I know where my data is, I can build a wall around it; I can protect it more appropriately than you might have out of something that you can’t anticipate.

[00:02:46.080] – Jason

So let’s talk a little bit about some of those things that you might deploy then that are fundamental. And when I say, “fundamental,” I’m really thinking every company can do them. The basic building blocks for security. We do a fair amount of incident response. I feel like we see the same security gaps over and over and over again. One thing that comes to mind immediately for me is basic vulnerability management or patch management.

[00:03:13.880] – Steve

Right. And I think everyone knows that you’re supposed to update your computer at home, your cell phone. The same is true of a company. And truth is that most of the issues we encounter to the lapse in practice to actually make that a reality. Make sure you deploy your patches. They’re meant to protect you. They’re almost certainly free from the provider of the software or the hardware. They’ll protect you. And if you do that as a minimum, you’ll be better off than most other organizations that are victims of attack.

[00:03:44.520] – Jason

So here’s what I would say when we think “anchor” for the why behind that, which is TV loves to deploy the attacker as that guy in the hoodie who’d be doing some incredibly sophisticated attack, target at your company because you have data that’s incredibly valuable. When in reality, attackers are focused on return on investment. It’s not that individual in a hoodie; it’s an organization that probably has management and workers, and they’ve executed attacks against a broad base.

[00:04:18.680] – Steve

Right. And they’re lazy. They really want to get the biggest outcome for the lowest investment of time. At the end of the day, the guy who walks down the street jiggling door knobs isn’t going to break into the house with a bunch of locks on the door. They’re going to go to the guy next door who has the backdoor left open.

[00:04:36.780] – Steve

It’s arguably an overused analogy, but it’s very true in cybersecurity and IT and everything else like it. If you avoid being an attractive target, they’ll move on because it’s not worth their time.

[00:04:47.990] – Jason

Right. And that deploying patches is akin to not locking your door. And I mean that they’re that easy to do, and they’re known vulnerabilities that anybody with the most basic of IT skills can actually compromise, right.

[00:05:01.500] – Steve

Right. I mean, attackers will go after the oldest vulnerabilities that exist because they tend to have tools built for them to be leveraged by a really unsophisticated attacker. The new stuff that comes out that’s a week old, those require really capable attackers in order to leverage.

[00:05:20.730] – Steve

There’s a short window between the disclosure of a flaw and it being weaponized, certainly. But if you stay abreast of patches and you monitor disclosures from manufacturers, you’re in a better place overall. I’d like to pivot a little bit to another fundamental control.

[00:05:37.860] – Steve

Everyone knows for 25 years that antivirus is an important tool to deploy at home and elsewhere. Unfortunately, it’s very common that the modern incarnations of that protective device, protective software, is not actually present. And there’s really no excuse for it. Servers are just as easy to protect against malware and unexpected threats as workstations. And frankly, there’s no reason not to deploy it there.

[00:06:10.190] – Jason

And pretty much, Windows certainly has a product built in, right?

[00:06:15.820] – Steve

Yeah.

[00:06:15.820] – Jason

So we’ve got patches that are free. Generally speaking, you have basic antivirus, which is going to be free. I’d jump again and talk a little bit about security awareness and training of staff. Sure, you can buy software products that might have some fancy video awareness, et cetera. Arguably, you can train staff around common information security threats for a really low cost, if not free.

[00:06:45.480] – Jason

They’re your first round of defense in any attack. You want a staff that understands what the risk to unsolicited email, phishing, might be. You want to understand what some of the financial attacks are. There’s really commonplace attacks that have great yield for the attackers that you can train your staff on reasonably easily.

[00:07:05.290] – Steve

And an educated, vigilant workforce really transcends the work environment, too. You want them to be thinking in the same way at home. Because the odds are pretty good that some of those employees may have passwords that are common between home and work. And the truth is educating them about that risk helps them to protect their personal information as well as the corporate environment.

[00:07:24.680] – Jason

So I think we’ve talked about three things so far. Basically, I think you can make an argument that none of them cost any money. The fourth one that I think is probably as important as some of the others, if not the most important, is really performing good backups.

[00:07:42.460] – Jason

You have ransomware, which we talk about in a different episode, is a really common threat designed to target people’s data encrypting it, making it unusable. If you’ve got backups, you can recover from those. If you’ve got backups, the company’s data, your life blood, is protected.

[00:08:04.620] – Jason

It doesn’t have to be a fancy implementation. You can backdate it up to a USB drive. Clearly, there are more sophisticated and arguably better mechanisms for that, but there really is no excuse for not having some sort of backup for critical data.

[00:08:18.540] – Steve

Right. And the dividing line between an expensive, costly incident and a short lived, easily managed incident is really good backup data. If you can restore from scratch and get your data back unmolested, you’re really in a better position than you would be otherwise. If you have to rebuild and recreate data that’s lost because it’s no longer accessible, your business will not function for an extended period of time.

[00:08:43.720] – Jason

So one of the questions that we get or maybe comments that we get regularly is, “My business, or maybe my home computer, whatever it is, has no data that’s of value. And so no attacker is actually going to care about me.”

[00:08:59.820] – Jason

I think I would offer a counterpoint which is, it’s not always about the data. It’s not whether you’re a Department of Defense supplier that has confidential data or classified data, it’s is there a way to bring your business to a halt and force you or extort you to pay money?

[00:09:18.500] – Jason

And that is a big piece of the attackers’ business lately. Make yourself less of a target of opportunity, don’t provide a good base as an attack, and you’ll be better protected. And you can do that with some of these basic fundamentals. And this is just a few. There’s other tools that you likely have already within infrastructure you’ve purchased to make yourself more secure.

[00:09:41.630] – Steve

Right. And certainly more organizational preparedness is important, too: cyber liability insurance policies, sound policies that govern employee behavior, or at least set expectations for working with sensitive data or equipment, or you name it. Those are the things that help to lay the groundwork for a reasonable security program overall. And they don’t need to be complicated. In fact, the simpler, the better, because if they’re understandable and consumable, you’ll have a better outcome.

[00:10:11.440] – Jason

One of the things you and I, I feel like, have talked about more than once is the idea that cybersecurity, information security can be simple. It doesn’t have to be complicated. And like everything, I think there’s a spectrum. And most organizations would benefit, really, by maturing their patch management practices and their vulnerability management practices by training staff.

[00:10:33.520] – Jason

There’s a variety of ways to do both of those. There’s manual, you know, “Let’s just run a patch manually,” or automated systems. So you can really address that in a variety of ways.

[00:10:44.120] – Jason

But we call them fundamental for a reason. And there are a handful of those controls or those technologies that you really need to implement to be secure. And they serve as the building blocks. They served as the underpinnings. If you do them, you’ll position yourself better than probably most of the organizations in maybe in your vicinity, whatever vicinity means, critically to do.

[00:11:08.440] – Jason

So I think to summarize what we’ve been talking about, the idea of security fundamentals really is that there’s basic technologies or maybe policies or training that you need to implement to get what we would consider to be the underpinnings or basic elements of a security program.

[00:11:26.890] – Jason

Clearly, you can get more mature over time as your program develops. There’s better technologies to address each of the things we discussed about today. And there’s certainly what I think we’d say “additional” components or qualities of a security program that we just haven’t discussed.

[00:11:42.150] – Jason

So if you’re interested in hearing more about the idea of security fundamentals, implementing those things that you can do to improve the security of your business, feel free to reach out to us at Vancord Security at Twitter. And we’re happy to address any of these topics in more depth, or address new topics if you have specific interest.

[00:12:00.810] – Narrator

Stay vigilant. Stay resilient. This has been CyberSound.