By Scott Sloan, Managing Director of IT
In my role as Managing Director of IT at Competitive Energy Services, I maintain the day-to-day IT operations for the company, oversee systems development, including implementing new technologies that align with CES’ current and future strategic goals. In so doing, cybersecurity is always top of mind for me and my team.
Cybersecurity: A Perspective
To me, cybersecurity is a contextual topic. What it means to one person, group, or business will be different when compared to others. Cybersecurity is also a function of risk management and often involves weighing two factors against each other simultaneously. For instance, how likely will there be a breach of a particular event or circumstance? That analysis is what drives the preparations and lengths that will need be taken to secure an asset.
To help evaluate asset security, start by asking the following questions:
· How secure is your home?
· Your online personal information?
· Your business and infrastructure?
Regardless of the context, security should be looked at as more than a one-time fix needed in response to an episodic event. In our technologically sophisticated world, personal and professional security needs to become a lifestyle – part of home or business’ culture. The tough reality is that you cannot assume that your home and/or business is secure. You should also know that the probability of a security breach occurring in either scenario is likely, given time and effort on the part of crafty hackers and cyber criminals.
This is where “security as culture” comes in to play. No matter how many locks are on the door, or how many times the security systems are installed and upgraded, if a nefarious actor feels that what is on the other side of door is worth the time and effort, the lock on the door will eventually be picked.
As companies grow, so does the likelihood of a security breach and, in turn, so does the need to have security measures, processes, and procedures in place. Think of it this way:
· More People = More training. More supervision.
· More Technology = More possibilities to exploit access.
· More Changes = More likely the old ways and new ways are not updated.
The first step to being secure is to understand and constantly review the “house,” so to speak. The analysis is fairly simple and involves asking of some basic questions that can make all the difference: Who?, What?, Where?, When?, and Why?
· Who can access these assets and why?
· What do we need to secure and protect our assets?
· Where and how can these assets be accessed?
This is your starting point - understanding what you can identify and then building protective protocols and processes around these areas of possible intrusion. Most breaches are due to not treating all known items as being new and introduced for the very first time and not considering that there are factors which may have been added or missed during the previous analysis.
Ironically, security can fall by the wayside the longer people work/reside in a particular environment. Why? Comfort and a related sense of security with the practices and protocols put in place to protect an environment. It’s easy to feel safe and convince ourselves that our practices are effective, especially if a threat to security has not occurred.
To keep security fresh, audits should be performed and a regular basis internally, at least annually. Start by developing a scoring system for each of the functional areas of the audit. From there a goal can be set and a measurable tool put into place that can be used to keep and improve security.
At the same time enlisting an outside company to assist with security evaluations and recommendations would be ideal. Companies of this type offer a host of services:
· Provide complete security on a managed service model – the third-party security contractor.
· Review of your company to determine what regulatory factors are involved.
· Assisting with the development of security plans.
· Conducting various penetration exercises – hard and soft.
Who Do You Trust?
Security is also tied to trust.
You would be surprised how easy it is to gain on-premises access to a business by acting as an employee of a supporting service vendor. Do you know who your mailman, UPS, FedEx, and custodial people are? Odds are most people do not. What you see is the uniform or logo or equipment and just assume that somehow these people are vetted and allowed to be there.
What happens when a happy employee evolves into a disgruntled employee? The actions of Edward Snowden changed the face of security. Government organizations now look at security of data through the lens of determining “How Snowdenproof” their protocols, practices, and systems are and taking steps to ensure optimum safety measures.
What Do You Trust?
Software is always being updated and what was secure yesterday may not be today. As a society, we often see headlines about a data breach that occurred and soon learn that the root cause was a weak password or some bug in the code after an update. These breaches can and do happen and the result can range from problematic to catastrophic for businesses.
Good questions to ask:
· Are all of our connected devices truly secure?
· Have we considered security when buying the latest gadget?
I’ll illustrate with a thermostat scenario. A good question to ask is “Why do we have internet connected devices like a thermostat?” Classic non connect analog thermostats work very well, and are cost-effective, too. Sure, the internet-connected thermostats are new, cool, and can perform other functions that the classic device cannot. But, there are risks and it’s important to understand what information is being collected when using a smart thermostat – e.g., knowing when home is occupied.
Conclusion
To come full circle, those that take on the role of security must do so with a sense of skepticism and paranoia. Trust nothing and no one. I know that sounds cold and harsh, but can your business or household live with the risk of assuming all things are safe and secure?
Trust and risk are what will drive what security means to you.
Photo by Dziedz