All successful people have one quality that is universal to them, and that is their ability to self discipline. This quality is so paramount that it was even included in the infamous book by Stephen R. Covey, 7 Habits of Highly Effective People. So how does self discipline apply to cyber security? It all starts with how we interact with technology.
Technology is the Antithesis of Security
The reason cyber security is even an issue is because of technology. Without all of the devices, computers, servers, and websites in the world we would not even have an issue. If we didn’t have technology our company would focus on securing the physical assets found within the building. However, that is not the case and our company only deals with digital transmission.
There is no shortage of new technology entering our offices every day. From copiers, VoIP phones, mobile phones, computers, servers, printers, WiFi, smart TV’s, IP Cameras, smart appliances…the list can go on and on. All of these types of technologies introduce a pathway into your true assets, the data and the money.
Regardless of what your organization does, this is what the attackers are after. Thus, in order to be secure you have to have self discipline around the introduction and maintenance of these devices.
You can’t let just anyone install a device on your network. You can’t let a copier company put a new copier on your network and let them set the password. And you have to have technologies in place to detect if a rouge device is introduced. You have to be vigilant.
On-boarding Plans
Much like adding a new team member to your staff, you need to on-board any new technology before it is introduced to your main network. The plan should include setting passwords properly and checking for security holes within the firmware. Additionally, it is important that you understand what ports are needed to access the device, ways you can limit the overall access, and figure out what network segment the device should be placed on. The key to security is in a disciplined approach to introducing technology.
When we audit a network, we often find weak or default passwords spread on devices. We find networks that are not properly segmented, unpatched devices, and even cameras that are open to the internet.
One issue that we are currently dealing with is a massive botnet attack on a client. The attack started because the client had an open port that was connected to an IoT device. That device had default passwords set and unpatched firmware. Even more detrimental was the fact that the device was located on the main network segment. What was the reason for this? They allowed a third party to install a device on their network.
This is also where self discipline comes in. Third party vendors that sell technology who are not focused in cyber security are a risk. It isn’t because they are malicious. It is because they are ignorant of the risks.
I was giving a speech last night to a local group of philanthropists on cyber security. In describing what we do I used the analogy of a website. I said that they should picture a website in their heads. Then picture the search button where they can search for products. They see a way to find what they need. An attacker sees a pathway to steal their data. People in cyber security look at these things differently. We look for ways it can fail. Not how to make something work.
No one is perfect, but a strategy of self discipline in and around all technology on your network and in your life will lead to a more secure infrastructure.