Business leaders and gamblers know risk. Success means managing risks effectively. The better they do, the better the returns.
Often overlooked is another similarity: table stakes. Gamblers have to pay to play, certain games have minimum table stakes you must ante to participate. For business, the ante is investing enough time, money, and effort in efforts. That applies to security, too. In fact, businesses must meet the security table stakes before implementing even minimum viable security.
This article addresses the six things every organization needs, regardless of size, industry, and budget. To be clear, this is not the one-size-fits-all prescription for security. These are the common barriers that prevent minimum viable security. For many, these represent the barrier to entry. If you are not addressing these six items, you should stop reading and start working immediately.
A firewall represents the first barrier of protection between a system and its surroundings. Each system should have its own software firewall which protects it from threats on its local network. Each local network should have a firewall which protects it from the Internet. Firewalls should disallow all but known, expected, and desired traffic.
Patching and Updates
All software systems have flaws, and many of these can result in a security vulnerability. Manufacturers are constantly at work trying to address these flaws and correct them. The information system must be regularly updated and patched to take advantage of these changes made by the vendor. Update and patch each information system should as frequently as possible. These updates must include the operating system and all install software packages as well. (For example, apply updates not just to Microsoft Windows, but also to Microsoft Office, Adobe Acrobat, and Java.)
Anti-virus and anti-spyware solutions exist in many forms and many capability sets. The most important thing is to scan all incoming files and emails for known threats. Anti-malware solutions will not solve every problem. It is trivial to create new malware that is not immediately detected, but as the malware is recognized, defenses against it will improve. Note: as with the above, anti-malware solutions also need regular patching and updating. Anti-malware definitions should receive daily updates.
A core concept of most information systems is to have both a privileged and a non-privileged mode. Non-privileged processes cannot do things like overwrite system files, or kill system processes. Avecto recently published a study that indicates removing administrator rights would mitigate a whopping 92% of critical vulnerabilities. While it may result in some inconvenience, it is hard to argue with a 92% reduction in attack surface.
Information security is not just about making sure other people don’t get your information. It is also about making sure you can still access your information in a reliable, trustworthy way. You might lose information because of a system failure, the hijacking of your account, malware such as CryptoLocker, or many other means. The only defense against information loss is to have reliable backups. Backups should be tested regularly, secured, and stored in a different physical location.
Incident Response Plan
The reality is that despite taking the five steps above, (and perhaps many others as a part of your minimum viable security program,) you will encounter an incident. You will suffer a breach and lose confidential information. Your system will crash, or your site will shut down due to a denial of service attack. When the inevitable happens, it is critical to understand what to do next. Who should I contact first? What actions should I take such as filing police reports or contacting the internet service provider? What evidence must I secure? When do I call the lawyer? A plan – even if it is a one page emergency contact list – can save time when it is most needed.
Ante up: How to meet the security table stakes
This is the evolution of minimum viable security. From the small retail shop to the startup and even larger enterprises… these are the security table stakes. In many cases, implementing these might take a few hours. It’s the start of a new approach. It’s the way to protect what matters.
The six components that make up security table stakes – firewalls, patching and updates, anti-malware, unprivileged accounts, backups, and an incident response plan – need to be part of every information system. Only after addressing these can you get on with the business of understanding minimum viable security for your organization. Address these basic controls, or risk wasting any other efforts you might put toward security.
We are creating a training course that will discuss security table stakes and minimum viable security in more detail. The course will include examples of each of these specific topics, and stories about their success and failure. The course will also provide other helpful information about implementing your own security program. Sign up for the course here: http://eepurl.com/QapC9