Archive
Cybersecurity: Train Your Employees!
Cyber risk and risk mitigation are topics that are at the forefront for every person that manages a network and computer infrastructures. We are in a constant battle of wits with the “bad actors” of the cyber world that look to cause harm and mayhem for others. Sometimes the goal is to cause destruction and chaos. Think old-school malware and viruses. Sometimes the goal is to take their victims for as much money as they can by promising to resolve the situation for a steep recovery fee. Think about the original cryptolocker attacks, as well as all the variants since.
Many businesses are willing to pay these fees to avoid loss of data and loss of face with their clients. At times it appears to be more palatable to pay several thousand dollars to the bad actor than to admit they had holes in their security. Doing this gets expensive quickly as more computers within the organization become locked and have their data corrupted. I have examples I can share from various organizations I have worked with over the years. You can read about one such incident by reading my article, “System Down: The Anatomy of an “Oopsie!”.
As organizations’ networks and related systems become more complex, the job of the Systems Administrators and Cyber Security teams continue to get more challenging. With more organizations allowing remote workers, as well as international business travel becoming more common even for small businesses, the threats grow exponentially. The constantly evolving threat environment underscores why it is imperative for IT teams to continually educate themselves on the latest threats, as well as the mitigations of these threats. Businesses need to ensure that all of their security services, from firewalls to the desktop solutions and everything in between, have their subscriptions maintained and that all signatures are up to date.
But these threats don’t just impact businesses. People in their homes are becoming targets as well. Some of the threats are the same as with a business, but there are also other threats. I’ve witnessed and listened to countless stories of individuals receiving phone calls claiming to be tech support from one company or another, and a threat was reported to tech support by their computer. For a “small fee,” they will remote in and clean up the problem. The people that fall for this usually have to get a new credit card due to fraudulent charges. Also, the computer that they allowed this actor to access, which had no problems before the tech support call, has now been infected with some form of malware.
Part of the solution for businesses is cybersecurity awareness education for their staff. Employees need to understand the threats that exist in the cyber landscape. They must be made aware of how the attacks come in, what they can do, and the potential consequences to the business. Patterns in the senders writing style, as well as types of attachments, need to be discussed. The training does not need to be super detailed, down in the weeds cybersecurity education. The training must be presented in a way that individuals of all understanding levels can comprehend the topic. Management needs to stress to the attendees that this training is critical to the business, and will help protect the business as well as the individuals who receive the training. By educating the employees in the workforce, and by providing updates to this education, businesses will reduce the likelihood that a cyber attack will be successful. Firewalls, content filters, and anti-malware applications must be in place, with the subscription services actively maintained and monitored. The education of the employees provides another level of protection to the business infrastructure.
Educating a home user on cybersecurity can be more challenging. Here, the training that employees receive at the office can provide others with a basic understanding of cybersecurity. Individuals in the workforce will go home and take their training with them, providing increased awareness of cybersecurity in the home, but it shouldn’t stop there. Many security providers offer basic and free online security training. By sharing these resources with your employees, they will feel that they can share them with others, once again spreading the knowledge. Here are a couple of sources for free online cybersecurity awareness training:
ESET Cybersecurity Awareness Training
Keep in mind that security awareness is every person’s responsibility. By providing even a basic education on the threats and ways to avoid those threats, business and their employees will be better prepared to manage and mitigate the threats that inevitably make it through the defensive measures their IT teams have in place.
As always, I welcome comments and questions. Got a topic you want to see covered? Let me know in the comments!
Zero Trust: What exactly is it?
You’ve probably heard about the principle of Zero Trust, but what exactly is it? At it’s most basic, Zero Trust is a strategy that involves technologies, processes and the individuals that make use of them. Zero Trust requires strict identification of every person and device trying to access resources on a network. The principle does not differentiate between devices or people that are inside or outside the network perimeter.
The traditional paradigm for network security is the castle-and-moat approach. This defense approach made it difficult to gain access to the network from outside, but people and devices that were inside the network were automatically trusted. This approach was OK before the advent of the Cloud. As companies realized the flexibility and power of cloud services, the security paradigm had to change. Businesses no longer have data stored only within the walls of their “castle”, but increasingly have data stored in the Cloud as well. Most often, this data is a mixture of on premise (in the castle) and in the Cloud.
With this change, businesses needed to be able to authenticate individuals as well as devices before access was granted to any of the data, no matter where it was stored. This additional security has been proven to data breaches. IBM sponsored a study that demonstrated that the average cost of a data breach was over $3 million dollars. With these results, it is not a surprise that organizations are rapidly adopting a Zero Trust policy.
Another aspect of Zero Trust is the principle of least-privileged access. This means each person and device only has the access needed to perform their function, and no more. You can think of this “need-to-know” access, like in a military or spy movie. This minimizes each persons and devices access, and in so doing protects the sensitive parts of the network from access by people and devices that have no business even know the resources are there.
Another critical component of Zero Trust is having a mechanism in place to monitor and report on activities. As Zero Trust continues to evolve, these monitoring solutions have become increasingly more automated. This is especially important for larger organizations that can have thousands of employees, devices, and access requests occurring at any given moment. For smaller organizations, the alerting can be as simple as an email informing of a potential issue. For larger or more complex organizations, the best solutions typically involve a combination of an active display that is visible to key staff at all times who are visually alerted to an incident in progress. This visual alert, in conjunction with an email or SMS message to the incident response team, offers a much improved alerting mechanism for events than the tradition method of log review. The most complex environments deploy monitoring and alerting solutions that use a combination of machine learning and AI to provide a complete monitoring and alerting solution.
For more information on Zero Trust, I highly recommend this article provided by Guardicore.
As always, I value comments and feedback on the articles I write.
Success in the IT Industry: Whatever you do, DON’T PANIC!
I’m going to kick off a small series here about succeeding in the IT industry. These will be topics that I have learned over 20+ years of working as an IT Professional. I will do my best to make sure the topics and content cover consultants, such as myself, as well as those who work for a single entity. So, with that introduction, off we go!
If you have worked in this industry any length of time, I can guarantee you have had at least one person come running up to you sure that their life was about to end due to a lost file, a jammed printer that contains their presentation to the board that’s due in 5 minutes, or their inability to access the internet on their smartphone while in the restroom. In any of those situations, it is pretty easy for us to remain calm, hopefully reassuring that person, and helping them quickly resolve their problem.
But what do you do when it’s your server or server farm that has suddenly dropped off the network denying the CFO access to his data that he needs for a meeting that started 5 minutes ago? How do you react when the worst happens in the systems that you are responsible for and all the upper management staff are standing over your shoulders watching you and demanding an estimate of when the company will be back up and running, all the while reminding you of the expense of having 50+ employees that they have to pay for sitting around and drinking coffee?
Hopefully, your answer doesn’t contain the words “panic”, “freak out”, or “I don’t know”.
If you work in the IT industry as a network or systems administrator, I can personally guarantee you that there will be times that this happens. Technology is not infallible and, in my personal opinion, subscribes to Murphy’s law: “Anything that can go wrong, will go wrong, and at the worst possible time.”
So, how do you prepare for that? Can you prepare for that? How do you deal with the ownership or management staff breathing down your neck?
Rule number one: KEEP CALM!
There is absolutely nothing gained by you panicking. In fact, if you panic, it will increase the panic level of all the others around you. Imagine, if you will, a heard of zebras on the plains of Africa. One of them notices a lion that appears to be stalking the herd. It follows it’s natural instinct to run away from the danger as fast as it can, making noise while doing so. This alerts the rest of the herd to the danger and causes them all to panic. The result is a stampeed and ever increasing panic as they lose sight of where the lion is due to the dust cloud they create in running. Now imagine this same zebra that, instead of panicking, watches the lion. After a few seconds, it sees that the lion is going to lie down in the shade because it is really hot. I sleeping lion is not a great threat, so it goes back to munching the plains grass. The herd doesn’t stampede, and the peace if kept. That doesn’t mean the zebra stops checking on the lion every so often, just to make sure it really is napping.
Same thing applies in IT. You will get people that come running into your office or calling you in a panic. You WILL have servers that go offline for mysterious reasons and cause all sorts of havoc around the office. You might even have equipment that quite literally goes up in smoke. I have been witness to that several times. Since these things are pretty much inevitable in this industry, you need to have a plan to deal with them. And you need to have the proper attitude to handle any situation that comes up. You need to appear to be calm, cool and collected in everything you do.
Some of this response comes from experience. The longer you do something, the more you see the issues, and the better prepared you are to handle the issues as they come up. The hardest part is not dealing with the issues. It’s dealing with the people affected by the issues. When they approach you at a dead run or panicked on the phone, you need to be able to reassure them, let them know you are aware of the problem and that you are working on resolving the problem as quickly as humanly possible. Easy to say, not always easy to do. And to my knowledge, there is no training program that can prepare you for the flood of varied responses you will get from the people in your organization. Some will decide it’s time for a coffee break. Some will call you or come visit you thinking that their presence might in some way help you solve the problem faster. I have even seen people break down in tears over issues they have no control over.
All of these responses can be a major distraction and can cause you to feel more and more stress as you try to resolve the situation. Sometimes it becomes necessary to ask people to leave you alone so you can do your job. This needs to be stated nicely, but firmly. My best example is a CFO/VP at one of my clients. He came from a very large company that had a huge IT staff. He was used to getting status updates and resolution estimates every 10 minutes during an outage or incident. His new company, my client, has two location, about 100 employees overall, and one IT guy…me. With me being the only point of contact for IT issues, needing to give status updates every 10 minutes could be a real problem since it distracts from the task at hand. During one particularly major issue involving Microsoft Exchange, I finally had to sit him down and explain to him that having to stop every 10 minutes, find him, update him on the problem, give him a resolution estimate, and then go back to work on the task was going to easily triple the amount of time (and thus the bill) for getting the issue resolved. Once he finally understood that and realized that I would let people know when there was something to actually report, he backed off on his requirement to update him so frequently on the progress. The net result was that problems got resolved much faster, and if he was really curious, he would come find me, and if I was not looking completely absorbed in the issue at hand, he would ask a simple “how’s it going?” and get a quick reply while I got to keep working the issues. It was a win-win for everyone.
The bottom line is this. When everything around you is is going crazy, and the employees and/or management are all panicked, it is your job to be the calm at the center of the storm. Let it swirl around you, maybe even ruffle your hair a little. But under no circumstances should you visibly panic. It could cause the panic in other people to amplify, and could even cause some people to lose a little faith in you and your abilities. As the person responsible for protecting their network, for protecting their data, and some will even see you as the person protecting their livelihood, you need to be the bastion of calm during a real or perceived crisis.
Techie Guru 