By Chris Beal, MCNC, Chief Information Security Officer
In the wake of recent news about massive data breaches at Equifax and Deloitte, I imagine that many of you want to throw up your hands and just give up when it comes to cybersecurity. After all, if these giant companies with major investments in security protections can’t keep the attackers away, how can we expect to fare any better?
As I travel around NC and talk with MCNC’s customers, I often hear similar thoughts and questions. I understand the frustration and confusion. Cybersecurity is a very challenging problem. As our workplaces and even our everyday lives become more dependent on technology, the challenge continues to grow.
These challenges are often described in terms of battle or war - attackers and defenders fighting the battle daily, trying to win the war. While this analogy helps us to understand some of the dynamics at play, it is not the most helpful one we can use. When people think about cybersecurity defense, they often think the objective is to prevent successful attacks; to prevent systems from being compromised and data being stolen. While these are certainly important objectives, they aren’t the ultimate objectives. I like to think about the discussion differently.
You never get sick, right?
Let’s frame cybersecurity in terms of human health. People generally work hard to avoid getting sick. We get vaccines. We wash our hands. We go to the doctor for regular checkups. We bathe, brush our teeth, and limit our contact with places where we might pick up germs. In short, we practice good hygiene. But, even when we practice good hygiene, we sometimes get sick. Does that mean we’re unhealthy? Not necessarily.
Most people understand that it’s unreasonable to expect that you’ll never get sick. Good hygiene lowers our chances of getting sick, and other healthy habits like exercise, a balanced diet and adequate sleep help us stay healthy. They also help us recover more quickly when we do happen to get sick. This idea of health as an outcome made up of lots of factors (some of which are not under our control), is a better way to think about cybersecurity.
Good cyber hygiene forms good habits
There are things we should do on a continuous basis to help minimize our chances of getting compromised. We should continually keep our systems updated with the latest security patches. We should harden our systems to make them more resistant to attack. We should deploy security controls like multi-factor authentication, anti-malware, encryption, and firewalls. All of these things help improve our overall cyber hygiene. But, practicing good cyber hygiene on a continuous basis doesn’t guarantee that we’ll stay protected. Sometimes an attacker can overcome all our preventative measures.
As you are thinking about cyber defenses, it’s important not to focus solely on preventing an attack, but also to think about ways to quickly detect a compromise and respond. Do you have monitoring and alerting systems in place? Do you have backups to allow rapid recovery? Do you have an incident response plan in place and train your employees to understand how to use that plan if needed?
Protection is important, but rapid detection and response are also important to maintaining overall cyber health. Just as most people understand it’s not reasonable to expect that you’ll never get sick, we should also understand that cyber compromise may happen. But if we are compromised, it doesn’t necessarily mean we are unhealthy. If we are able to quickly detect, respond and recover from a compromise, then our overall cyber health actually is in pretty good shape.
October is Cybersecurity Awareness Month
Right now is a great time to think about your cyber health. If you’re looking for ways to improve your cyber hygiene, check out Stay Safe Online. This resource offers practical advice and tips for both individuals and businesses to strengthen their security posture. The Center for Internet Security also provides helpful information including the CIS Controls, which are are a prioritized set of actions to protect your organization and data from known cyber-attack vectors. These controls are vetted with evidence from real-world use and are known to be practical methods to strengthen your cybersecurity posture.
I suggest prioritizing the following practices for good cyber hygiene. If you have others from personal experience, I would love to hear from you.
- Continually Install Security Patches
Make sure that you are continuously monitoring your systems and keeping them updated with the latest security patches. Do this for both the operating system (Microsoft Windows, Apple MacOS, Linux), and applications (Microsoft Office, web browsers and plugins, etc.).
- Use Multi-Factor Authentication (MFA)
MFA is one of the best measures you can implement to make you less vulnerable to attacks from stolen credentials. While not a cure-all, MFA can significantly improve your overall cyber health.
- Continuous Automated Backups
Automatically backing up data on a continuous basis helps ensure that you can recover rapidly in the event of an attack such as ransomware. Make sure you test your backups on a regular basis to ensure that the data will be there if you need it!
At MCNC, we implement all of the practices listed above and many others to help keep our systems protected and ensure our services stay up and available for our customers. Earlier this year, we successfully passed a SOC 2 Type II audit by an independent, third-party audit firm, to ensure that we have the right security controls in place and that they are operating effectively.
We also operate a number of security services for our customers, including DDoS protection, web content security filtering, and compromised host detection. You can learn more about these at MCNC’s services web page. We’re also working on several new services that we hope to make available to customers in the next year, including a Continuous Monitoring and Risk Assessment service, and a DNS Security Filtering service. Stay tuned to us for more information on these exciting new services.
Cybersecurity requires the vigilance of everyone at every level of an organization. No single practice will guarantee that you will remain free from cyber compromise. But, practicing good cyber hygiene will help you be on your way to feeling better in no time. Here’s to your cyber health!