top of page

It must burn your hands…

Some people often ask “Why is it that you keep repeating some common recommendations again and again to your customers ? Don’t they understand them at first ?”, I sometimes wander what should be the right answer.

It’s true that technology has drastically evolved in the last decade. New fancy features, new sophisticated attacks and new even more sophisticated defense lines. Call it cat-and-mouse game or arms race, cops against thieves, whatever…

But aside from such sophistication, there are some simple / basic recommendations (I don’t dare to say “stupid” !) that are still not met. For instance, we could list the following possible 10 commitments :

  1. Managing inventories and obsolescence. You cannot protect systems for which there is no more R&D and for which nobody cares… And you can’t protect what you don’t even suspect to exist.

  2. Applying all patches on all systems. At least critical / cybersecurity patches. At least critical systems. That’s so-called “hygiene“.

  3. Changing default passwords *prior* to any system or application go-live. And enforcing a proper password policy of course.

  4. Implementing 2FA/MFA (2 or Multi Factor Authentication), as identifiers and passwords are not enough to protect you today. In fact, today, we even move towards passwordless applications.

  5. Filtering all network connections. At least at the edge of your networks. Forget about permissive rules : everything not explicitly permitted must be rejected. That’s it.

  6. Segregating guest networks from corporate ones, split your internal networks even deeper.

  7. Managing identities and access rights. No, you should not have 10 times more active user accounts than individuals in your company !

  8. Making sure you have a user policy, at least, not to mention an Information Systems Security Policy. Everything not written cannot be enforced. Also make sure that you deliver awareness programs on a yearly basis, at least…

  9. Making sure that you keep logs generated by your systems (which first means that such systems must generate logs…). You can’t and should not ignore what your systems try to tell you.

  10. Being ready to manage a crisis. If you’re not, then you’ll probably have to manage even more severe damages, and pretty sure that you won’t enjoy.

The above is not only meant to be observed in large organizations. Small and medium businesses can clearly afford it as well. I would even dare to say that most of the above can be done at home. Sometimes, it’s even easier for smaller organizations (faster decision processes, simpler inventories, etc.) to apply most of those rules. It’s not that complex nor expensive and it will not drastically impact your user experience.

And I strongly believe that the above is the strict minimum : you cannot just pick 2 or 3 of them, and consider that you’ve done your job and furthermore that you’re on the safe side.

Neither can AI and automation (the current buzz words) do it all for you. They are out there to ease your job, increase your workforce and therefore enable you to focus on your main objectives. But I don’t believe it will substitute to most of your tech guys. At least that’s not what I observed in the last years.

Same for Cloud Service Providers : many companies believe that being hosted at Google / Microsoft / Amazon is a passport to be safe. I consider that this is clearly wrong. It only means that you’re given the tools to secure your systems, not that these tools are effectively and properly used.


Some “tech guys” who are not willing to evolve will surely have to think twice, consider upskilling (we can for sure work on it together !) or… find another job. Admins who still use “Password2024!” as privileged passwords should now have their hands burning.

I know the statement is strong. But it has to stop.

Same for those who use “admin / admin” as ID and password, those who write their passwords in a cleartext Excel file, those who carefully write “permit any any” within firewall rules…

Time has come to consider this as inacceptable.

To conclude, I often ask the Execs of my Customers which portion of the CyberSecurity strategy of the company they are aware of, how supportive they are. Most of the above commitments are far too technical for them. But it’s getting hard to communicate on any Executive statement or strategy while in fact your teams focus on above “basic” technical objectives. That gap between Executive expectations and technical basic operations prevents proper CyberSecurity efficiency.

And if those 10 commitments are not meant, it’s usually irrelevant to consider different initiatives to secure the company.

Comments


Hi,
I'm Leah

I'm a paragraph. Click here to add your own text and edit me. I’m a great place for you to tell a story and let your users know a little more about you.

Post Archive 

Tags

No tags yet.
bottom of page