I believe that technology is too mission critical for business success to leave it strictly in the hands of the IT department. Even a little information can make you surprisingly more competent and work you quickly towards making you successful as a technical leader.
Once the basic principles were understood by both my students and clients, 80% of what was left to learn was intuitive. I then focused training on the remaining 20% (which was much more interesting).
In the years that followed, I have became a proponent of building a foundation on the basic principles for everyone. With the basics, you will have the ability to talk with cyber security experts. You will also be able to recognize who is competent and trustworthy and who needs to go back to school.
In this article, there will be some basic definitions that everyone will benefit from understanding, starting with the concept of security.
Security – freedom from risk or danger
Security is not a black and white concept. An example of a black and white concept is a light switch. The light is either on or off. In security, the fact there is always some risk of danger is understood. Unlike a light switch that is either 100% ON or 100% OFF, security is measured in variables of risk. When discussing a security risk, it is impossible to be 100% risk free.
For example: There is always a risk that the moon might fall out of the sky and hit the earth, but it's not likely. Then again, it’s not impossible either. It is possible that an asteroid might hit the moon that is large enough to knock the moon out of orbit, into a new orbit. It is also possible the new orbit could be one where the moon and the earth collide. It’s possible. Yet, it’s very unlikely to happen. This leads to the concept of security assurances.
Security Assurances – defines the risk, using quantifiable security metrics
These metrics will include the level of guaranteed risk mitigation.
Your security team and systems can’t protect your business 100% from all risks. Nor can a team guarantee 100% success on any given risk. We call this reliability and we measure reliability in 9s. Where a single 9 means 90% successful. Two 9s means 99% successful. Three 9s is 99.9% successful and so on. With each 9 the cost of that security assurance goes up.
When it comes to assurances, there are several types of security assurances. There are assurances which can be executed before, during and after the actual risk. Because no assurance is 100%, security analysts plan mitigations for the before, during and after.
Cyber Security risk mitigation principles include:
Cyber security refers to the security assurances associated with protecting stored data. These are the first security mitigation principles. At any level, these are core principles that come back again and again.
As a business leader, if they are not part of the initial discussion, you might ask yourself why not. Sometimes it is not brought up because they think you would not understand. Sometimes it is because the expert doesn’t understand.
Cyber Security Dilemma
As systems become more secure, these systems become more difficult for the employee or customer to access the data. The more difficult it is to access the data, the less productive the employee or customer when using the secured systems. The less secure the data, the more likely the data will be corrupted or stolen by employees, customers and the external hacker.
The cyber security dilemma requires a risk analysis. We know that to be profitable, a certain amount of risk will exist. The business must define for itself the level of risk tolerance. This risk tolerance should not be defined by the technical expert. They will make recommendations, but ultimately your business will pay the costs and experience the consequences, not the security expert. The higher the risk tolerance, the more must be spent on assurances during and after a risk exploitation.
History of Counter Measures
Traditional security models depend heavily on password protection. An example of password protection is when an employee is assigned a system User ID and private password. The problem is that the User ID is usually public or easy to guess. Passwords are a little more difficult but there are many strategies for capturing passwords. Password protection is the key to securing a private or public network.
To protect passwords there are several strategies to make it harder:
As the problem becomes bigger, password protection becomes more complex. With each level of complexity, the user is required to do more to protect the password. The key to breaking into the traditional security system is always to compromise the user name and password.
Modern Counter Measures
Modern cyber-security uses technology counter measures to remove the human factor as the single vulnerability. While user names and passwords are a factor, these are no longer the single determining factor to access data and network resources. In this way, even if a password is compromised, it does not mean access to the system is assured. If the system is accessed, there are ways to quickly and automatically identify and limit or remove access.
raditional security systems are decentralized making them difficult to manage. Modern security tools allow centralized management of all disparate security platforms. This allows planning, monitoring and identification of security system exploits.
These types of counter measures include, but are not limited to:
What this means for the organization is that even if a user is compromised, the system is better protected. Nobody can secure a system without locking out the people who need access to the data to do their job. While at the same time, recognizing security risk without bothering the users.
There is a joke about the two guys in the woods. A bear in the distance sees the two men and begin running toward them. The first man kneels to put on tennis shoes and tighten his shoe laces.
The second man says,
“Do you think you’ll be able to outrun that bear?”
The first man says,
“I don’t have to outrun the bear, I only have to outrun you.”
This is a strong analogy of modern security problems. Today’s hackers are like the bear. Modern tools give you faster tennis shoes. As more businesses use the tools, those that don’t will fall behind and will have to deal with more than just running away from the bear.
In summary of our Cyber Security 101 introduction
There is a saying in the hacking world.
There are two types of the organizations. The first are those that know they can be and may have been hacked. The second are organizations that don’t think they’ve been hacked but have.
Business leaders need to be realistic, understand the risk and focus on appropriate risk mitigation. This sounds similar to what business leaders do every day in other areas of the operation.
The biggest risk we’ve found is that too often a business team hope they are flying under the radar and will not be a victim. It is a simple reality that someone can pick any lock, and any safe can be cracked. In addition, every system can be hacked.
As with the story of the bear, you can make it more difficult to hack your systems than a competitor's. Hacking technology has changed and is much more effective. In many industries, the information is much more valuable in the darker parts of the web than most owners realize. Don’t fall for the myth that you are too small to be interesting to a hacker.
With modern solutions, you can get ahead of the risk and take control.
Check out our article on the value of your records to hackers to learn more about the street value of your company information.
We can also share a report of these and other tools that you can use to protect and secure your systems. Contact us for a list, feature comparisons or even a demo.
About the Author