Good Enough is Not Good Enough
By Matthew Boehm, CISSP, Information Security Analyst, CM3 Building Solutions
Most of us are aware of big security breaches such as those at Equifax, Target, TMX and Home Depot. But after the shock wears off, people tend to forget the media buzz and move on with their lives. Perhaps it is human nature, wishful thinking or — quite possibly — denial. Cybercriminals are raising the bar on security every day. It is time for our clients to step up their cybersecurity game.
Cybersecurity is often like going to the doctor’s office for a checkup. The doctor says, “You are overweight, pre-diabetic and you smoke. If you want to survive, you better lose weight, change your diet and quit smoking.” The patient, without a thought, responds, “I know, but what is Plan B?” Our customers, for the most part, are aware of the importance of cybersecurity, but they are reluctant to take the steps to manage their risk. How do we protect our customers from themselves?
Obstacles to implementing a Cybersecurity Program
Some customers in the government and large corporate arenas have stringent policies regarding infosec, but those in the small to medium-sized range are in a different position. Their policies and procedures are usually ad-hoc, or even non-existent, typically having a very small IT staff or just one talented employee who doubles as the IT guru. They all have arguments for doing it that way:
It is difficult for a small to medium-sized organization to justify spending on “intangibles” such as cybersecurity when they are worried about keeping the lights on. We need to educate customers on the cost/benefit ratio of responding to and mitigating security threats. They can pay us now or pay us later.
Incomplete or Inaccurate Specifications
Often, we are at the mercy of third-party specifications. In some cases, the third party may not be aware of the need to include a cybersecurity component into job specifications. You can only patch a rusty bucket so many times before it stops holding water.
Infosec is difficult, not only for the IT department, but for everyone. It increases the complexity of any project. You need specialized training, personnel and a corporate culture of Infosec. Ongoing maintenance and troubleshooting creates even more complexity.
What to Do
How do we transition our customers from being aware to being compliant? How do we keep their systems from being “owned,” or completely compromised by a bad actor?
Clean Our Own Houses First
Start by establishing policies, procedures and Infosec practices in your organizations. Do it right — be a role model and do Infosec as a matter of practice even though customers may not comply to your level. If you aren’t very good at Infosec, spend the time and effort to get good at it, or enlist the help of someone who is.
Be a Cybersecurity “Evangelist.” Tenacity is the key to getting the message across. Create clear, concise and effective messages without peddling fear, uncertainty or doubt. Be positive.
Offer Infosec Services
Make sure that our offerings have cybersecurity “baked in.” Create a checklist, dictate clear policies, and provide easy-to-follow procedures to go along with every installation. Always provide a method to validate proper adherence. Offer additional assistance.
Write Security into the Spec
If possible, take a seat at that table early in the process to influence secure network design. Make customers aware of the risks of incomplete specifications. Integrators must be advocates for the addition of Infosec into the job specifications. Keep pushing.
Infosec is hard. It is time consuming and adds complexity to any project. It requires keen attention to detail and a constant refining of the process. Small organizations are just as likely to be attacked as larger ones and bad actors are usually looking for the path of least resistance, the low-hanging fruit. It is up to us as security integrators to make sure that we follow best practices in our own organizations and execute all our installations with Infosec in mind. We must guide and direct our customers in the infosec arena. There is no Plan B.