Cyber Security in the Workplace

Build a Strong Culture of Security

Stephen Nardone
A Meeting of the Security-Minded

Cyber security in the workplace is everyone’s concern. Security isn’t just for your IT team—everyone needs to be aware of the best ways to keep data and systems secure. Self-protection and a lot of the techniques that individuals are doing to protect their own personal lives translate very well into the workplace, as well as workplace to home. Sometimes it may make people cringe a little bit to say this out loud, but it is absolutely true: the user is the weakest link in the security chain. Sometimes we feel a little bit offended by that, but we have to face the music. Users make the decisions that can affect the security of the overall environment—even opening the wrong email can wreak havoc.

When you think about security in the workplace, it’s a very complex process. One of the things I always strive to make clear to our customers is that security doesn’t just consist of installing anti-virus software or a firewall. A true security plan has to be a complete, end-to-end risk governance process that covers every aspect of business process and productivity in your environment.

Hackers Don’t Discriminate

Sometimes a customer will say something to me like, “I’m not really interesting enough for anybody to think about attacking me.” That one always makes me chuckle a bit, because the truth is it doesn’t matter whether or not your organization does something “interesting.” All that really matters is that you have an IP address on the Internet waiting for someone to connect to your environment. If you do, you’re plenty interesting enough. In fact, most organizations—if not all organizations—that are on the Internet are being attacked literally thousands of times a day or week.

The only way to protect yourself and your organization is to put a very solid strategy together. At Connection, we talk about protect, detect, and react. That involves technology that you can put in your environment that will help address critical security areas, such as your edge, your interior, your end-point, traffic management, data security, people, and process as well. Add in security services that help you validate if you have it right. All of these areas involve people, process, and technology, as well as the techniques and the tools necessary to be able to do the work.

The detect component—such as anti-virus software or intrusion detection technology—gives you the ability to see if an event is actually happening and react to it, which is the final area. The reaction piece is to get on top of an event and to lock it down before it can become an epidemic. The last thing you want is a single breach in an environment to become an epidemic across your entire organization. If you build the protect, detect, and react strategy into your overall process and you think about people, process, and technology, and how all that comes together, you will have a very strong information security program.

Stay Aware and Be Prepared

As you build your strategy, it’s also critical to recognize that threats—and the risks associated with them—change on a daily basis. You need to constantly assess, document, and validate your risk. You need to account for all the potential vectors, from external hackers to users clicking on malicious links—and everything in between.

But let’s say there’s only one thing that you have the time, and the ability, and the budget to address, the first thing you need to do is build a vulnerability management program and a patch management program. Most of the attacks target old patches on systems that can be easily subverted based upon common attack tools that are available. If you have a very strong vulnerability management program, and you have a patch management program to keep your systems up-to-date so that you don’t have weaknesses in any of your systems, that is the great first step to risk management, protection, and security in your entire environment.

Stephen Nardone, CISSP, is Director of Security Practice at Connection with over 38 years of experience in both the government side and the commercial side of the security business.