In security, it’s often said that you will have little success within an organization if you do not have buy-in from management. However, there’s a larger group that is often-overlooked though critical to a successful security program. And they impact all aspects of your security posture. That group, of course, is the end users.
We’ve all heard of (or worse been part of) a company with a super strict security team. If you fall for a phishing campaign, you need to report in person to the security department, where they ridicule or chastise you for your error, make you take remedial phishing training, and complete an online test, or worse, revoke your network credentials for a period. While this may be effective from a security standpoint, it’s detrimental to the overall health of the security program. See, presenting a punitive result from an action that is, to the end users’ perspective, simply trying to get their work done doesn’t foster knowledge or understanding: it’s simply an attempt at conditioning. This often creates a negative response and image for the security department - both from an interpersonal perspective, but also from a business perspective.
Let’s just say there’s a lot to learn from history without quoting Sun Tzu… again. Especially in information and cybersecurity. While much of the birth of cyber realm revolves around the military - many of the members of our community are current or former members of various armed forces - many of us still refer to the military influence of old when working through our business planning and various actions revolving around cybersecurity. A great example is the common use or reference to Boyd’s OODA (Observe–Orient–Decide–Act) loop flow chart in both attack and defensive security applications. In sticking to a military theme, I want to touch on a story from World War II and its applicability in today’s modern cybersecurity world.
Let’s take a look at an often under-utilized aspect of network topology in the small to medium business realm: that’s right, a networking article. But before you run off, what if I told you you could increase performance and lower your production down time with equipment you (might) already have!?
There’s no silver bullet when it comes to cybersecurity. But there are a few basics that nearly any organization – whether it’s a hospital, school, financial institution, government entity, or manufacturing plant – can put into place to get a start on their cybersecurity plan.