Security Hygiene – The easy stuff we don’t do

Cybersecurity is a complex topic. It crosses all industries and affects everyone. Even in academia, cybersecurity is a multidisciplinary program. We, as “security people” spend a lot of time focusing on the next threats…on the next big risk areas…on securing the next big IT “thing”… We respond to the latest threats you hear about on the news…We write blogs about advanced security topics…

But here’s a shocking truth…

The reality of the current threat landscape is that the hackers (a.k.a. bad guys) aren’t using sophisticated means to compromise our data! They’re getting in with the silliness that everyone has the ability to prevent! Even the NSA has stated that they don’t need sophisticated attacks, they just need to wait for someone to make a mistake.

I talk about this notion of “security hygiene” a lot in my talks. Security hygiene is the stuff that everyone should be doing! It’s the simple stuff we take for granted. What follows is my top-5 areas of security hygiene that I tell all my clients and show in every presentation I make:

  • Know what’s important. Identify your critical data. Is this ePHI? Contracts? Legal documents? Whatever it is, you need to classify that data as specifically important. And remember, if everything is important, nothing is important..
  • Know where it is. Where is your data? On a cloud service (e.g. a drive service)? In your email? Who has access to your email? What about your partner organizations? If you can’t find your important data, how can you protect it?
  • Run your updates. This seems SO SIMPLE, yet it also seems so unattainable for some. You need to routinely run your operating system updates AND your software updates! A lot of malware exploits vulnerabilities in your browser or Flash player; it’s important to keep those updated at all times.
  • Run AntiMalware/AntiVirus. These programs will NOT stop everything! However, a good malware program will prevent common malware from infecting your systems. For extra points, look for a managed malware solution (we have that too!).
  • Education. Spending time in awareness, on blogs, and reading about security is critically important for you and your organization. The only way you can stop someone from clicking a malicious link is to show them what one looks like (and what to do when they enivetably click it).
  • Endpoint Security. Okay, this is #6 in a top-5 list, but it’s too imporant not to add. Most every software vendor publishes best-practices for securing their software (e.g. Windows, Mac OS, Office, etc…). There are also other great resources like the CIS Benchmarks and the DISA STIGS that go in to even more detial. Find someone who knows how to implement those standards, and do it! If your IT service provider doesn’t know what that means, call us and we’ll explain it to them…

These may seem like simple things, and they are! The fact is, most organizations (1-100k employees) fail to do them correctly, completely, or routinely. Small and mid-sized businesses have the ability to run world-class security programs with a fraction of the investment a larger company would make. The key is planning, building a security culture, and starting with simple security hygiene.

Let GoldSky help you get there!