I don’t remember much about middle school.
It was the 80s, though, and things were certainly different back then. We had real chalk boards (with erasers that needed periodic clapping), gender-separated gym classes, and junk food and soda in the vending machines.
One memory, in particular, has stayed with me. It happened in science class when a careless student (no, it wasn’t me) accidentally broke a mercury thermometer.
Mercury, of course, is highly toxic. So the teacher evacuated the room, opened the windows, put on gloves and a mask, and cut away the carpet where it spilled. Then he put the spilled mercury in a secure container, and we were kept out of the classroom for several days while the school monitored for vapors.
Of course, I am totally kidding! It was the 80s, remember? He told us to move away from the spill, swept it up, and went right back to teaching. I’m not even sure he washed his hands.
Yesterday’s Rules No Longer Apply
You’d be shocked if a present-day science teacher responded to a mercury spill the way mine did thirty years ago. And that’s understandable; best practices, across all industries, change over time.
In cybersecurity, though, they change very, very quickly.
Here at Fractional CISO, we tend to have two distinct types of clients: those whose companies were formed within the past three years, and those that are older (some, significantly older).
Three years may not seem like a long time. But these older companies began before “current standards” were developed. As a result, we have found all sorts of security “mistakes” – practices that were not mistakes as recently as three years ago.
These include things like HTTP not redirecting to HTTPS, servers or applications that have not been updated in several years, or using outdated cryptographic algorithms.
Notice that I am not talking here about anything that is actually “broken” – the technology is running just fine in terms of supporting its business users. It’s just that in many cases, and even though these companies have “good security practices,” if the same project/function were begun today, it would happen in an entirely different way.
Everyone Needs an Internal Audit
If you are an “old” company (pre-2017), the key to ensuring that your technical teams are not simply “sweeping up spilled mercury” is to perform a periodic, internal audit. Done well, these contain three elements:
1. Independence.
Select an internal auditor that doesn’t have a stake in the department. This person need not be an employee (we do these regularly on behalf of our clients), but if they are, they should be free from the constraints and biases that a member of a given department will bring.
2. Functional Breadth.
Make sure your internal audit spans all areas where security vulnerabilities may exist:
Access Control – Who has access to what? Has that person left the organization? Do all of these people need this level of access?
Change Control – Is the organization documenting key system changes properly? Can you figure out if employees are making approved changes or doing random updates?
Assets – Do you have comprehensive lists of all of your devices and applications?
Configuration – Are your cloud permissions and firewall rules set up correctly? Are you updating your systems?
Vendors – Are vendors following your policies? Do they have strong cybersecurity controls?
Alerts and Notifications – Are people looking at alerts? Are they being resolved in a timely manner?
Incident Response Processes – Do people know what to do if an incident occurs? Do they know who they should contact?
Backups – Are you backing everything up correctly? Is it encrypted? Have you tested restoring data?
3. Frequency.
Internal audits should be performed quarterly for some activities, annually for others. Whatever the specifics, you need to create a schedule and stick to it (audits are notorious for being back-burnered!).
Do these even if you don’t quite know how. You’ll get better over time; when it comes to internal audits, something is better than nothing.
Final Thoughts on Internal Audits
In general, new companies don’t have these types of legacy problems. Unfortunately, in the world of cybersecurity, legacy means three years. Just because you were aligned with best practices at one point, it doesn’t mean you are anymore.
A robust internal audit is critical to ensuring that you are operating securely AND that you are living up to whatever is in your contracts with customers or that you claim in your literature regarding the protection of other people’s data.
I’ll be checking the vending machine for Bugles if you need me.
To receive more great cybersecurity content for business leaders, sign up for our monthly newsletter, “Tales from the Click.” https://fractionalciso.com/newsletter/
