Information security -- Pursue simple, get fancy later
If you have followed my past articles, you will know that I am a bit fanatical about focusing on the fundamentals of information security. I see too many organizations throw money at the latest technology designed to make them more secure, so they can ignore the day-to-day details.
I listen to a number of podcasts each week, with marketing talks among them. Recently, I was listening to a podcast by well-known digital marketing guru Amy Porterfield, when she used a quote about focusing on the basics in marketing – pursue simple, get fancy later. I hope nobody was around when I heard it, because I think I made a loud, audible sound in reaction. I think this phrase, more than any other, sums up my sentiments about the proper approach to information security.
I have worked with a variety of organizations, both large and small. I am still waiting to arrive at one that I consider a success in addressing the fundamentals of information security properly. And yet, many are willing to purchase expensive products, hoping that they will solve their problems while left on auto-pilot.
The firewall is a good, basic example. Installing a good firewall (as opposed to one of the cheap, consumer-grade models) will certainly enhance an organization’s information security out of the box. That being said, the improvement will not be dramatic without some attention to the proper settings, keeping the firmware current, and reviewing the logs.
The issue of putting fancy first gets worse as the organization gets larger. There is much buzz in the industry today about threat intelligence. I would give you a formal definition, but the industry has not decided exactly what it is yet (for more on my threat intelligence perspective, see Threat intelligence -- making it useful from the enterprise to the small business). The general idea is to keep track of what security threats others are experiencing, so you know what to look for yourself.
Norse Corp in California is a provider of threat intelligence information. They are known for their threat map, a color-coded drawing of the globe showing security incident hot spots at any given moment. By all accounts, they tell many customers what threats to be on the lookout for.
The validity of their product was recently called into question in an article penned by industry expert Brian Krebs. The company also experienced significant layoffs, fired their CEO, and was offline for a number of days. Norse Corp has attempted to refute many of Kreb’s findings, so they jury is still out on what exactly went on. That being said, it is clear that a number of customers spent large sums of money for a product whose validity has been called into question. It seems that many are running hard after magic solutions, while ignoring the basic details that can keep them safe.
So, what are the these fundamentals I keep talking about? Since I have written so much about the specifics, I will stay out of the weeds here. For specifics, see Good Information Security is Fun-Damental. The general categories of these simple pursuits are as follows:
Everyone needs some approach to a formal, written security policy, whether you have 2 employees or 20,000. Such a policy needs to be in place when you are small, so that the organization is consistent as you grow. Additionally, if you are in a regulated business, or want cyberinsurance, you will not be able to do without one.
One of my favorite books of all time is The E-Myth Revisited by Michael E. Gerber. In this book, Gerber makes the case for treating every business as a franchise prototype, and establishing formal processes from day one. This approach is fundamental to information security. As an example, in my guide, How to Avoid Ransomware, I make the case for at least spot-checking PCs for current updates on a weekly basis. A defined process is essential to doing this consistently and properly.
Once you have a policy in place to know what to do, and a process so you know how to do it, you need to execute. The “secret sauce” of execution is consistency. You need to schedule your efforts, and then do them, week in and week out. Once you get behind, it is hard to catch up.
As you execute your process based on your policy, it is essential that you keep logs and records of your efforts and findings. These can help make sure you are disciplined in your approach. More importantly however, this information will be essential for forensic purposes if you have an incident. Such records can make the difference between a paid insurance claim, and one that is denied. Set a schedule, and have someone, preferably other than the person executing the process, review them for adherence to policy.
Once you have these four steps in place and functioning well, I contend that you will be more secure than the organizations spending tens of thousands of dollars on fancy tools that don’t really accomplish what they state.
Bottom line – good security is in your control, just focus on simple before you go after fancy.