In the early morning hours, a security manager from a local SMB wakes up with her cell phone chirping. As she quickly looks at the offending device, she realizes it’s a text message from one of her organization’s vendors who provides cybersecurity services. As she rolls over and makes the phone call, she realizes she has an issue that will require her to wake up her team and start the day earlier than planned. As she speaks to her team over a hastily arranged video conference, it’s soon apparent that there is a critical security patch that must be implemented as quickly as possible. Her security team members are concerned because this patch is to fix a recently discovered zero-day attack and they are worried that if it is not addressed soon, there may be unforeseen repercussions. As her day unfolds and this issue is scheduled for change management and then later remediated by her team, she thinks about what it would be like to manage a network without standard security controls and policies. A network where standard security frameworks and industry best practices for managing risk are not followed and a simple phishing email, received by an employee, could have devastating consequences. This scenario is quite common – cybersecurity doesn’t sleep, and neither do security professionals <smile>. What is vital for you to understand from this brief view into a security professional’s life is that without standards, without basic security controls, without security hygiene, this story could have been much worse, and the security manager’s company may have been severely impacted.
In today’s interconnected world, phishing emails and malware infections caused by attachments and links to hacked web sites are just some of the digital debris that has become an everyday occurrence. However, in the disparate enterprise environments found in many small businesses, cities, and corporate networks, these types of attacks can be catastrophic due to the natural blending of old and new technologies. The repercussions of modern malware attacks on these intertwined infrastructures can result in loss of critical services to businesses and their customers. To counter these ever-evolving threats, I believe organizations, and especially SMBs, who have limited resources should focus on doing the essential security controls well. Businesses must lay the equivalent of a digital foundation on which they can then build their networks and securely provide data and applications to their employees and customers. The methodologies that businesses and their security managers would follow to do the basics are commonly referred to as “cyber hygiene.” There are numerous approaches to implementing cyber hygiene, and there are quite a few ideas for what should be considered cyber hygiene. What is essential for you to understand is that cyber hygiene isn’t hard and can be managed through six necessary steps. The steps an SMB’s security manager can use to protect the business are as follows: Count, Configure, Control, Patch, Protect, and Repeat.