C-note: A Cyber Security Manifesto

by Rick Dakin, CEO, Coalfire

Faced with escalating cyber threats, more demanding regulatory compliance and a reduced tolerance for service disruption, organizations are weaving information security programs into their strategic DNA.  Just last year, the focus was on a wave of cyber criminals who were stealing personal identities to conduct fraud for financial gain.  Today, the new entrant is an opposing nation state that is targeted at destabilizing our way of life.  The Stuxnet malware that derailed the Iranian nuclear weapons program included a ‘weaponized’ payload that changed the rules for cyber war.

Fortunately, the response to both is the same.  Whether your organization is protecting critical infrastructure or sensitive personal data, the following program elements will prepare us all to defend our homeland and protect our clients and staff.

  1. Know WHAT your IT-related risks are. Every company should conduct an IT risk assessment at least once a year. A thorough IT risk assessment will help identify and prioritize problem areas.
  2. Know WHERE your IT-related risks are. It’s not enough to know what the problems are, the where is critical, too. A good IT risk assessment can save you money in the long run.
  3. Achieve compliance with data protection regulations. First, get compliant with all government and industry data preservation standards. Achieving compliance is pointless if your company can’t consistently maintain it. Develop a process to manage compliance and keep compliance records up to date.
  4. Conduct penetration testing and social engineering. Hire an independent auditor to run penetration tests to find potential vulnerabilities in your systems; and execute a comprehensive social engineering program.
  5. Create, develop and execute an incident response plan. All organizations need to assume they will need an incident response plan. If you don’t have one, develop a plan soon. Practice the plan, so when data breaches happen, everyone knows what to do.
  6. Educate your employees. Your people are inadvertently the most common causes of security leaks. Teach employees (top to bottom) to be careful of what they do on personal devices and what corporate data they download.
  7. Encrypt sensitive data. Encrypt sensitive data stored on servers, laptops and portable media. If data is being stored on highly portable USB flash drives, encrypt those, too. If they are lost, no one can access the encrypted data.
  8. Create a strong password policy. Require all employees – from the highest to the lowest – to change passwords frequently and make sure the selected passwords are strong. Educate users to not reuse passwords across multiple business, or even personal accounts.
  9. Segment your network, and your computers. Use a separate machine for your financial transactions, such as banking and payroll. Don’t access anything else, such as email or any other web sites from that machine, to foil malware and phishing schemes.
  10. Don’t treat security as a nuisance. Security is more than just preventing or limiting what people can do. Good security enables businesses to operate more securely by protecting revenue and profits that could be lost through a data breach. Treat security as a central part of your organization’s mission.