COVID and Cyber Hygiene: Not That Different

Published on 16th July 2020 Author: Rob Black

“We are doing a good job with social distancing. We stay inside a bubble.”

I’ve heard this kind of thing from many friends and neighbors recently regarding their COVID behavior. But I’m not exactly buying it. For many, the “bubble” — the small group of close friends and relatives we have each chosen to interact with freely — may include dozens, even hundreds, of others.

And don’t even get me started on keeping track of my children’s behavior. I learned quickly that a seven-year-old’s sense of “keeping six feet away” is not as precise as one might like (maybe I need to try it in meters).

Unfortunately, most humans — of all ages — do a terrible job of self-assessing risk. With COVID, that comes down to gauging how certain behaviors impact the likelihood of infection to ourselves or to others.

Well guess what? Cyber risk assessment works in precisely the same way.

Everything is a Trade Off

One of our clients doesn’t patch its systems regularly. Another doesn’t run Anti-Virus. In both cases, the explanation for not doing so is some version of, “We have never had a problem, so it’s not a priority.”

Unfortunately, and while “so far so good” may work in certain circumstances, when it comes to keeping your network and, more broadly, your company, safe, this is like not buying life insurance because, so far, you have not died.

I understand — cyber-hygiene activities are decidedly inconvenient, and the absence of a bad event is rarely noticed, let alone celebrated.

That said, there are some things that are so important for reducing an organization’s cybersecurity risk that they are absolutely essential:

Training. All personnel need to learn how not to fall prey to phishing, spoofing and other scams.
Multi-factor authentication. For every system, wherever possible.
Patching. Most cyber-attacks target vulnerabilities that have been present for years. A systematic patching program keeps everything up-to-date and closes the door on these weaknesses.

What’s Your Risk Model?

Beyond the three essentials above, when it comes to determining which additional steps you should take to protect your organization, it’s a function of both the risk involved and how much of it you are willing to accept.

In the case of COVID, a 25-year-old and an 85-year-old don’t have the same degree of risk. Even so, as a result of differing levels of risk acceptance, the older person may be more willing to eat inside a restaurant.

Cyber security is no different; there’s no objective definition of “safe” or “unsafe.” It’s always a question of balancing the likelihood of a negative event against the investment of time, money and personnel required to lessen its probability.

Towards that end, we recommend these two steps…

#1. Conduct an assessment. Review all the behaviors within your organization that carry the potential for damage. This may be done internally or with the help of an outside party.

Either way, you want to come away with a clear-eyed understanding of your risk. Done properly, the assessment should provide quantifiable estimates, such as, “If we don’t do X, we have a 5% chance of a $2M loss occurring in the next year.”

#2. Make a decision. For each instance of risk, there are four possible options: Accept it (i.e., do nothing); Avoid it (e.g., close certain business lines, stop certain behaviors); Mitigate it (e.g., implement controls); or Transfer it (e.g., purchase insurance).

Again, there is no correct answer. The goal is to make a reasoned business decision regarding how much risk you are willing to accept and under what circumstances.

Conclusion

When it comes to personal behaviors, each of operates based on a collection of risk models, whether that concerns wearing a bike helmet, smoking a cigarette, or attempting to reason with a seven-year-old (not recommended).

For most of us, these are not data-driven decisions and often reflect a fair amount of self-delusion. Usually, in our personal lives, that’s good enough.

In business, however, it isn’t. Not only do vague, gut-based risk models lead to inconsistent decision-making across the organization, they introduce (often huge) blind spots that, left unnoticed, can bring a thriving business to its knees.

To receive more great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).