10.5 Continual Vigilance

WHO? Everybody who relies on cyber technology.

WHAT? Must maintain constant vigilance to reduce vulnerability to cyber-attack.

WHEN? Cyber-attack is a persistent threat that never stops.

WHERE? Following a model to manage your systems confers the advantage of strategic planning.

WHY? Strategic planning allows you to budget when weighing risk against security.

Until there is a cure, continual vigilance is the price we pay for cybersecurity. Continual vigilance to protect against new exploits and incessant phishing attacks. Cybersecurity, though, is a team sport. It takes a village for effective cybersecurity. And it only takes one village idiot to destroy it. Truly, your cybersecurity is only as strong as your weakest link. What are the basics of cybersecurity? Patch, Configure, Monitor, and Pray. Patch. Update Software. When malware is found, software developers are notified so they can fix the vulnerability. Developers are highly motivated because they don’t want to be sued for ignoring a problem. The fix is included in an updated version of the software that made available to customers. It is important to always update your software to eliminate known vulnerabilities. Configure. Manage Settings. Settings include options, features, and controls. A common failure is not to reset default settings shipped with your system. Default settings present easy targets for hackers trying to infiltrate your system. Always reset default settings and periodically review them to catch new vulnerabilities. Monitor. Maintain Watch. How do you know if somebody or something has infiltrated your computer? The only way is to maintain watch over your system for unusual or suspicious behavior. It’s not easy. It takes an average of 191 days to identify data breaches. Pray. Hope you struck the right balance between risk and security. There is no guaranteed security because it is impossible to protect against all threats. Moreover, security costs money, and there is a point of diminishing returns on investments. The answer to the question “How much security do I need?” is “How much can you afford?” Nobody can afford all security. Therefore, every choice is a balance between security and risk. But hope is not a strategy. You can implement cybersecurity haphazardly, or according to a number of different models. The NIST Cybersecurity Framework is one such model. It helps place your cybersecurity on a systematic footing by making you evaluate where you are, where you’re going, how you’re getting there, and how much it will cost. Such methods confer the advantage of strategic planning; they allow you to budget cybersecurity. Absent the ability to plan strategically, all you’re doing is shooting in the dark. How do you reduce vulnerability to phishing? The same way you get to Carnegie Hall: practice, practice, practice. Finally, you must plan to fail. There only two types of systems, those that have been hacked and those that don’t know they’ve been hacked. Failure is an unavoidable outcome. You can reduce the consequences of failure, though, if you can rapidly recover. Rapid recovery is perhaps the best defense against cyber-attack.