Skip to content ↓ | Skip to navigation ↓

It’s not much of a stretch these days to say that technology is becoming essential to our daily lives. We trust so much to our technology, from our bank accounts and financial statements to sensitive medical records and even (potentially) embarrassing personal information.

We have complex interactions with non-human entities in which we share information we probably wouldn’t be comfortable sharing with friends and family. When you step back and think about it, it really is remarkable how much we trust these systems.

The vast majority of what we do online is reasonably safe. Most of the time, when we go on Amazon to order something, we don’t give it a second thought. But, how should small organizations or individuals think about securing sensitive information assets they control?

What does security mean to them from the perspective of protection and production?

As a consultant for a variety of organizations looking to minimize their risks, I have seen a major shift in the past few years when it comes to creating a security posture. Just the other day, I sat in the office for a client who was infected with a particularly nasty virus that led to significant downtime (which, of course, leads to lost productivity), as well as major expenses they had to incur in order to recover data that was destroyed in the process.

And it wasn’t like this client didn’t have security products in place. Their network was firewalled, they had a managed antivirus product in place, spam filtering on their email, and a number of other tools that I would recommend for practically anyone who has important technology systems in place.

While the tone of the meeting was friendly, there was also confusion. With all of these tools, how could it be that they could still have a user’s PC be infected by this damaging virus?

Shouldn’t their Antivirus have prevented this from happening? Why would they have to worry about what’s coming into their email if they have spam filtering in place?

This is where we have to take a step back and think about how what security really means. For this client, they had their system analyzed for security vulnerabilities a few years ago, and several actions were taken that closed system loopholes and also resulted in upgrades to their security tools. But the conversation needed to shift towards policies and behaviors.

This is a small company, and the culture is very friendly. Certainly they have rules but at the same time, they don’t hover over their staff and micromanage their day-to-day work.

When we discovered that the actual infection took place because a user opened an attachment that was malicious and made it through the spam filter, our client learned the most important principle I believe exists when it comes to managing security for technology: security has to be considered an ongoing discipline, and end users can’t rely solely on tools to protect them.

Behaviors and policies matter. So when I work with my clients on developing a security posture in 2016, my vision has expanded outside of just the technology to include the way our clients work and the education they have of what is and is not risky behavior.

I think when the headlines talk about Target’s breach or OPM’s hack, people feel as if the risk is someone stealing their things and that they don’t necessarily consider that real security requires them to be mindful of the way they work.

Let’s go back to my client and their virus and use an analogy. Certainly most people would agree that getting a vaccination (anti-virus) should help you avoid the flu (viruses)…but it doesn’t always work. And if you got a vaccination, you should still avoid shaking hands with someone who is sneezing constantly (opening up questionable email attachments), right?

My point is that everyone needs to rethink what it really means to be secure. True security requires both strong security tools to protect yourself from the myriad threats out there, as well as a strong program of training, acceptable use rules, incident response management and general mindfulness of the behaviors we engage in when using our technology.

 

Ben SchmerlerAbout the Author: Ben Schmerler is a vCIO Consultant at Choice Technologies, Inc., one of the most reputable IT managed service providers (MSP) in the Mid-Atlantic region. Ben works with his clients to develop a consistent strategy not only for technical security, but also policy/compliance management, system design, integration planning, and other business level technology concerns. You can follow Choice Technologies’ updates on LinkedIn or their website: www.choicetech.com.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Title image courtesy of ShutterStock

Endpoint Detection & Response For Dummies
  • Bon Baughn

    Great post. You have hit the nail on the head. And to take it one step further, we infosec professionals can lead by example. For me, it means shifting the paradigm whereby I no longer include links or attachments in my email messages. The reader is directed to a web site (as in googledotcom or googlecom) or an internal drive share (go to the Recipes folder on the corp share drive and look at the “Ways to Pickle Eggs’ spreadsheet. Of course, SharePoint is always nice, too.