QUERCUS BLOG
Industry Insights from Our Experts

The Lion and The Crocodile: The Constant Pursuit of Online Security

Filed under Security

The Lion is in Pursuit. Our Technology is the Prey.

LionCroc01The Internet has opened us up to the planet. Addicted to connectivity, our people and assets are available to attackers almost anywhere, through anonymous, high speed connections. The lion comes in various forms, many of them digital.

How can we measure with confidence that we’re running strong with the pack and have appropriately safe technology, and we’re not one of the sickly laggards, unable to keep up, ripe for the picking?

The Flawed “Assume Breach” Mentality

A multitude of media suggests that there are two types of organizations: those that have been breached, and those that don’t know they’ve been breached yet. This defeatist mentality preaches that the failure has already occurred: there’s nothing to be done; we might as well give up, because we can never win. None of us really act this way. We remain dedicated to delivering the best product or service possible in our marketplace.

The Attacks

From foreign soil, most attackers use a technique known as “spray and pray”. Through many different vectors, they lob softballs at any target and see what sticks. If you’re in a functionally weak information security position, you’re in danger. In my experience, clients use two arguments against professional protection:

  1. “I don’t have anything of value.”
  2. “I’m not worried, my tech personnel have this under control.”

IT professionals have been hired to maintain your system, not your security. Third party system protection professionals are required to implement the digital security your IT department will continue to enforce, and your IT personnel are prepared to do so. They are not prepared to develop new tactics against system infection.

Too often we encounter organizations denying the importance of information security, who then exhibit frustrations with IT for a week of downtime caused by an untrained user clicking a malicious link in an attacker’s email. The key to network efficiency and security is continued training against the previously identified non-engineer training against network vulnerabilities.

Incremental Improvements for a Better Tomorrow

The outcome of an information security program can become quickly overwhelming. If everything is a priority, nothing is: we become the trailing, weak prey that can’t keep up with the pack.

The “Four Cores of Measureable Information Security” program was developed so that Edmonton-sized businesses can build achievable roadmaps toward better tomorrows. The “Four Cores” include awareness and guidelines for our CFOs, shippers, receptionists, salespeople. These are four pieces to a complex puzzle, and each is integral to every organization:

  1. Policy and Compliance:
    Security program enforcement indicates how effectively the organization can access resources when required.
  2. Data and Infrastructure:
    Traditional “hacker bait”, including the locations where data is stored, the systems on which data is used, and the facilities on which data is transferred.
  3. Human Targets:
    Typically referred to as Social Engineering, this is the modern attack surface used by malicious actors to infiltrate your organization.
  4. Recovery Capacity:
    If something a security breach happens, is the response organized and prepared? This includes business continuance, disaster recovery, and incident response plans.

If you’re curious about where you stand, the process begins with a questionnaire for key people in the organization. This can be business unit managers, IT staff, receptionists, accountants; whoever has a finger on the organization’s pulse. Some of it is technical, to be addressed by the IT team. Some of it is policy based, to be understood by the business leaders.

“I don’t know” is a perfectly acceptable answer on every question! The questionnaire should take each respondent around 10 minutes to answer. If nothing else, you and your people are thinking about online security. Based on the answers’ consensus – or lack thereof – we deliver a free baseline report, outlining strengths and weaknesses as measured by YOUR responses to the Four Cores, and how you feel about your organization’s posture.

If the questionnaire resonates with the organization and a desire to move forward rises, we port the baseline metrics into a corporate-culture-compatible program. Incremental, functional, and achievable improvements, designed to change habits and develop awareness always reduce risk.

The End Goal

LionCroc02

An effective security program isn’t designed to instantly be the fastest in the pack of technology targets. A focus on healthy habits will keep many of the lions of the internet at a safer distance, one step at a time. The lion longs to eat the stoic and steely crocodile, who wades in the shallows and presents to target for the lion to attack. The crocodile’s defensive strategies insulate him from the predatory lion’s attacks. Be like the crocodile.

Contact us to learn more!

About Adam McMath

Certified Information Systems Security Professional, Entrepreneur, White-Hat Hacker.
With 20 years of IT experience, Adam specializes in reducing corporate risk from modern and evolving cyber threats.

Copyright 2017 by Quercus Solutions
Login