By Bernardo Ramos, IT security expert
Protect only what is needed:
- For its value
- Replacement / repair cost
The current situation: The truth is painful. The starting point for cybersecurity in at least 90% of cases is summarized as follows:
- You are spending too much money
- You are not well protected
Being well protected does not mean being 100% It is impossible to protect everything 100% Protection is inversely proportional to the inconvenience it causes to your employees, collaborators and customers. Except for a few exceptions You do not have a clear idea of the actual level of protection of your company or entity.
Your situation is most probably one of these:
- The case of the unconscious Who trusts his luck and is successful many times: Most SMEs and freelancers do not care at all, or just a little, about computer security. The main concern with computing is to find a system that suits the needs and that works. Security takes a back seat, or even does not exist, until you have an incident. In most cases, the incident that brings security to the foreground is a virus infection that destroys or leaves unavailable computer systems or a breakdown that destroys information that is lost for not having made a recent and proven backup. On many occasions the incident does not arrive or takes too long, which creates a false sense of security and is very comfortable because you do not need to take care of security and also very cheap until the incident arrives. This situation is typical of companies or entities that do not have an in-house computer.
- Those who do the least Not enough and probably too much: This is the case for most companies or entities, large or small, which are not subject to security obligations for regulatory reasons and have never suffered a major security incident. In these entities, computer security is a concern, and not the most important, only for those responsible for computer science. It is common for all PCs of the entity to follow the same model and have antivirus and receive their security updates periodically. Servers are usually installed using the latest available versions, but are not always updated promptly after the first installation. There are usually no systematic procedures for restarting all servers, or at least the most important. Some servers can take years without rebooting. The main passwords for systems are usually relatively safe, but many of the intermediate elements (database manager, etc.) can have simple passwords or even the default password. Passwords may be written on insufficiently protected documents. There are no control mechanisms that allow to guarantee in a rigorous way the application of the safety rules. Outside information technology, information security is not a matter of concern nor is it addressed in business affairs meetings.
- Those who make too much And not enough: In this section we find companies or entities that in the matter of cybersecurity do the "politically correct" moved for regulatory reasons or the result of a bad experience. Entities that have obligations regarding the security of information for regulatory reasons. Banks, insurers. Operators of vital infrastructures. Sensitive public administrations. Entities that have experienced a security incident that has been perceived as significant by the management. Security measures are often the right ones, but they are applied indiscriminately or at least not very selective. The consequence is twofold. Excess spending on cybersecurity. Limitations on aspects of ease of use of information technology not always justified. With an additional unpleasant corollary: In applying protection measures in a non-selective way, it is often the case that the most sensitive assets are insufficiently protected.
What does it mean to protect?
The three criteria:
- Availability: Ensure that your systems and information are available for use and access at the time you need them. How to protect yourself: Fault Recovery Procedures. Duplicate systems. Contingency plans to ensure the operation of the company or entity in case of computer failure.
- Integrity: Make sure your information is not lost or destroyed. How to protect yourself: Make backups periodically. Test restoration from backups at least once a year.
- Confidentiality: Ensure that the part of your information whose disclosure would impair your business, remains protected and accessible only to authorized persons. How to protect yourself: Identify sensitive information and protect it through passwords, encryption or advanced protection systems.
Realism versus too much theory 100% protection is not possible. More security, less usability. A balance appropriate to the characteristics of the company or entity should be the goal to achieve.
The ideal situation, do the right thing:
- First, a risk analysis: Begin with a simple empirical analysis, flee from the too formal and heavy methods at the beginning. Performed by the executives responsible for the management of the company or entity, constituted in "RISK COMMITTEE", that must identify two things: Assets of value truly important to the company. Threats to these assets. Accompanying yourself by an expert consultant can help, but watch out! Too many experts in the industry should be avoided until they are mature enough.
- Second define the response according to the risks: Let the experts (a "SUPPORT TEAM") propose the answers Your computer, if you have it. The most significant person responsible for the operations of the company or entity Validate responses on a cybersecurity committee. Composed by the same ones that have done the risk analysis.
- Third: periodically review the situation and correct the response to make it more appropriate: Based on a scorecard with indicators that answer three questions (I will develop in another article): Are the safety rules defined? Are the defined safety rules adequate? What has been the reality? An annual meeting of the "RISK COMMITTEE", with previous work by a support team, on the basis of indicators should be sufficient. The support team could be the one who defined the proposed response to the risks. As you repeat the process, you will acquire a maturity that will allow you to use more expert consultants and implement a more formal and structured organization. Whenever the characteristics of your company or entity require it.
And then what to do?
- Define the needs for protection in the matter of cybersecurity based on criteria of guarantee of operation of the company or entity. Involvement of the managements responsible for the business or activity
- Start slowly selectively.
- Ensure that the cost of cybersecurity is justified.
- Establish a cyclical process to improve progressively.
- Rely on some expert partners to help you define the process but do not sell you solutions
Avoid those who are judge and jury.