Do you know what a “cold plunge” is?
That’s when you sit in a bath of ice water for several minutes.
I don’t remember the first time I learned about it, but I’ve been thinking of doing it for many years.
Well, yesterday, I finally tried it.
I went to Kelo Spa & Steam, a local establishment featuring “very special kelo timber logs, carefully selected and imported from Lapland, Finland,” all of which I assume matters in some way.
The idea is simple. Over the course of a couple of hours, you go back and forth between the sauna — average temperature: “surface of the sun” — and the cold plunge, which is kept at a balmy 34 degrees Fahrenheit.
Among the promised benefits:
- Muscle Recovery and Reduced Soreness
- Stress Reduction
- Improved Sleep Quality
- Mood and Mental Wellness
- Immune and Illness Benefits
But who knows? Never take medical advice from a cybersecurity professional. I just really wanted to try it.
I have to confess, I mistakenly assumed the cold plunge temperature was going to be in the 50s.
So when I realized what I was in for, I chickened out and went home.
Just kidding! I went in for 35 seconds. Popped out.
Then I went into the sauna for about 20 minutes.
Then back into the cold plunge for two minutes.
Then into the sauna for another 15 minutes, leaving earlier this time because my glasses were getting too hot to touch.
And finally, back into the cold plunge for a final, exhilarating three minutes.
Did the experience improve my health? Too soon to tell.
I can share, however, that the extreme temperature differences were helpful in erasing from memory the sight of men of all shapes, sizes, and ages walking around with their bits out. (This modest cybersecurity guy wore a bathing suit.)
One Day, You Will Have to Take the Plunge
Not the cold plunge, although you may want to try that too.
I’m talking about the equally scary cybersecurity plunge: the brace-yourself-and-just-get-in courage it takes to start down the path of keeping the bad guys at bay.
Here are some practical steps to get you started…
Inventory Your Data / Systems
You can’t protect what you are unaware of. For any reasonably-sized company, these items number in the hundreds.
Inventory includes devices, cloud accounts, and sensitive data (e.g., HR, financials, customer info). Commit to knowing what and where everything is.
Implement “Universal” Cybersecurity Controls
- Turn on Multi-Factor Authentication. This two-step requirement for log-in to any password-protected location raises the bar significantly for any bad actor that seeks to infiltrate your organization.
- Configure your email and DNS securely. The default settings within popular email systems are often poor (I’m looking at you, Microsoft 365!). Having an expert complete this reduces the likelihood of spoofing emails coming into your environment, as well as others sending emails while pretending to be you or a member of your organization.
- Institute Anti-virus / Endpoint Detection and Response (EDR). You’d be surprised how many folks need convincing before agreeing this is necessary. But like a daily consumer of Big Macs who goes vegan after their first heart attack, just one episode of this type will change your mind.
Establish a Security Culture
Steering people to do the right thing is the highest variability part of your security program. Some do amazing. Others less so. And since things like phishing and easily guessed passwords lead to many compromises, ongoing training and awareness is essential. (“If you see something, say something.”)
But if it’s just a check-the-box exercise you require once a year, you may be no better protected than if you did no training at all. Effective training is both ongoing and practical, with a consistent emphasis by senior leadership on the importance of good cybersecurity behavior.
Ensure Your Policies and Procedures Are Realistic
- Make sure your incident response plan has key contact details, cyber insurance contact information, and approved vendors and checklists.
- Develop an acceptable use policy and offboarding checklist.
- Keep policies short and plain-language (nobody reads 40-page documents).
- If possible, tie policies to tools, so compliance is the path of least resistance.
Know When to Bring in Help
Your team may be lacking the bandwidth, the necessary cyber skills, or both. An honest assessment of where you stand is well worth the time and effort.
If you are having a tough time taking the plunge, it may mean you need someone (okay, someone like us) to help you get your program going!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click!