As digital technology continues to rapidly transform the business landscape and impact our lives in significant ways, the protection of these assets and the data held within them is more important than ever before! It’s likely that most of us understand the basic terminology of cybersecurity, such as malware, antivirus, phishing, ransomware, etc. But fewer understand the process of putting together the pieces needed to keep their data safe from cyber-thieves, fraudsters, and bad actors.
In this article, which is part two in a four-part series on Practical Cyber Security for Small Business, we’ll go Beyond the Basics and explore the language and practical application of cybersecurity controls. Let’s start with two foundational truths:
Advanced Persistent Threat (APT) – A cyberattack in which an intruder gains access to a system or platform (Facebook) and remains undetected for an extended period of time. Almost every attack attempt today is conducted with advanced toolsets and knowledge. What separates an ATP is that the attackers find success and secretly maintain unauthorized access to continuously steal and exploit information. On October 3rd, 2018 the National Cybersecurity and Communications Integration Center (NCCIC) issued an alert citing their knowledge (since May 2016) of APT actors using “…various tactics, techniques, and procedures for the purposes of cyber espionage and intellectual property theft.” Historically, these attacks have been against large organizations, but recent evidence shows that Small and Medium sized organizations are also being targeted. And because these smaller organizations are rarely prepared for both the attack and the process of recovering from such an incident, they have more to lose, both in terms of money and reputation. Being aware that the threat is real is an important first step in preparing to defend against it.
Defense in Depth (DiD) – The process of defending a computer system or information platform by placing multiple layers of security controls in place, so that if one layer fails, other layers of protection become a barrier to entry. If we think about how this applies to physical security, and our objective is to prevent an intruder from entering a building, we build Defense in Depth by placing a fence around the area we are trying to secure; we then place barbed wire on top to keep people from scaling the fence; we place a quality lock on the door, and then a deadbolt; we add security bars on the windows to prevent breaking and entering; we employ surveillance cameras on the outside and inside the building; we train personnel on how to identify suspicious activity and who to report it to; and finally, we employ an alarm system with a loud siren, flashing lights, and a hotline to security personnel who are standing by to act. With these layers of protection, they won’t get in, and if they do, we’ll stop them soon afterward.
With cybersecurity, we must employ a similar approach to protect our systems and the data that we control. Antivirus software, regardless of how well it is managed, is simply not enough today. We need Defense in Depth! Here’s how our physical security scenario correlates to modern cybersecurity controls:
- Fence around the property – A modern Network Security Appliance (firewall)
- Barbed wire on top of the fence – Security-appliance-log monitoring and reporting
- Door lock – Continuous software updates and security patches for all software in use
- Door deadbolt – Next generation anti-malware software running on every device
- Window security bars – Encrypted communication and file systems
- Security Cameras – Intrusion detection system monitoring for potentially malicious activity
- Personnel training – Cyber Security Awareness Training for every computer operator
- Alarm System – Professional management and monitoring for all the above
- Security Personnel standing by – A Cybersecurity Incident Response Team that includes participation from cybersecurity specialists, legal professionals, and crisis management personnel
With these layers of protection, you decrease your risk and increase your chances of surviving an advanced cyber-attack.
For more information on this topic, please contact the author.