If so, it’s time to clean up the cyber funk in your business before things keep flaring up and you might need to see a specialist. (I could make these jokes all day, folks!)
All joking aside, I would like highlight the Center for Information Security’s (CIS) new Cyber Hygiene controls guidance in this week’s post. For those who may not know about CIS, this is a community-driven nonprofit whose purpose is to develop best practices for cyber security. Many cyber security professionals and organizations use CIS guidance to defend against cyberattacks. Some of you may have heard of them as they produce the widely known CIS Top 20 Critical Security Controls® and CIS Benchmarks®.
Much like the listing of healthy living you get from your doctor, Cyber Hygiene does the same thing. It details what you and your business need to do to promote cyber health and remain healthy. They even go as far as to create three levels, called “implementation groups” (Levels 1-3) to help you build your cyber security capability. The easiest way to think about these levels is to imagine you were teaching basic hygiene and healthy behaviors to your child.
Level 1: The very basics of cyber health controls. If this were best practices for human health, it would be the things you teach your kids like brushing their teeth and how to clean their ears. A CIS example of this is the Protect control for web browsers that focuses on making sure that only fully supported web browsers and email clients are in the environment. Older and unsupported software provides a very easy way for hackers and viruses to get into your environment.
Level 2: These controls build upon Level 1 and bring your child to adolescence. It’s like recognizing your kid is growing up and you now have to tell them to use deodorant, or at the very least to avoid Axe Body Spray in large doses. A CIS example of this is maintaining an inventory of all user accounts for your systems and applications and reviewing them at least annually to ensure Access of Least Privilege (ALP) is being used. ALP is a fancy way of saying that you are only going to ensure people have the minimal amount of access to your data that they need to do their jobs or interact with your organization.
Level 3 controls build upon those in Level 1 and Level 2 as they focus on the controls you need as you mature your cyber security protection capabilities. It is like your child is ready to start dating and now you need to teach them about safe sex, how to cook without getting salmonella, or how to clean up after themselves so the dishes in their room do not grow a new form of COVID. A CIS example of this is ensuring you have a Security Information and Event Management (SIEM) system in place that you tune to better identify actional events and decrease event noise.
At this point, you may be asking, “how do I evaluate myself to know if I am clean or if I have the funk?”
For a knowledgeable cyber security practitioner (someone who has the experience, passed exams, earned certifications, and stays on top of the newest trends in cybersecurity), this is a relatively simple exercise and can be handled as a very simple assessment. For a person without training, you may need to do some research to understand the controls and whether your environment is secure. Either way, it can certainly be done with relatively low cost and low effort.
I say this with 100% seriousness, I would much rather a client spend a little money on performing an assessment to determine what “funk” needs to be cleaned up and get it fixed than a ton of money in the cleanup after a cyber incident permanently damages their business.
If you need help, Assura performs these types of evaluations and all assessments are, of course, confidential. Contact us and we’re happy to provide you with guidance.
Thanks for indulging me in my horrible hygiene jokes to make a point about an important topic. Hopefully, you feel that your patience was rewarded.
Until next time… Stay agile. Stay safe. Stay sane.
– The Disaster Lady (Karen)