In the spirit of the Cyber Security Awareness Month, we wanted to do a five part article on the Five Functions of NIST (National Institute of Standards and Technology). The goal is to provide a high-level overview of the things you should be doing to be more Cybersecure. We like the NIST framework because it is simple, logical and expandable. Everything you build as per the below would be rolled into your Cybersecurity program and enforced via policies.
As you have probably seen in all the headlines, there is a cyber war going on and the cannabis industry is probably the next victim. Cyber criminals are constantly re-adjusting their target. At first, they aimed at large enterprises, because that’s where the money was. Once the enterprises improved their tools and processes (aka it’s started getting harder), the cyber criminals attacked Small and Medium Businesses (SMBs) because they were easier and had not adapted yet. Now there is a new target in their crosshair, the cannabis industry, because they are not [well] prepared.
For those that are not aware, Cybersecurity now applies to all, and yes that means you too. There used to be a time where only larger enterprises were targeted and that SMBs could survive by doing the minimum (Anti-Virus and patching once in a while), but now data is the new oil and there is a rush to get more of it.
I had the pleasure to spend the last week in San Francisco with IBM’s best and brightest at the IBM Think 2019, and pardon the pun, it got me thinking (a lot).
I will post a couple more entries on specific topics later, but high level:
For a lot of companies, IT is only is a Cost Center; one of those necessary evils you must have in order to do business. Fortunately, this is changing: more and more IT is now viewed as a service center, a group of people that are there to support the business and [hopefully] help to move it forward. Although this may be seem as simple semantic, it actually reflects a more profound shift in how IT is perceived and how it acts in their day to day tasks.
Private Cloud is actually a very interesting topic (if you forget all the hype around ze Cloud (<- insert Toy Story alien ooo sound here)). First, let’s clarify what I mean by “Private Cloud” (it has been used to describe many things lately, so let’s make sure we start at the same place). I will simply describe it a company owned system composed of software and hardware assembled together to provide cloud type services (IaaS, PaaS, SaaS) to identified users via automation. I know they are some grey areas, but as far as I am concerned:
I am going to sound like a broken record [again]. Ransomware is still alive and well and unfortunately that is [in part] thanks to people that do not follow basic security practices.
There is a saying in the security community: there are two types of organizations: those who have been breached, and those who do not yet know that they have been breached.
I will also let you in on a secret: not all breaches are avoidable, bad actors have too many tools and there are too many angles of attacks (but that does not mean you should not try).
I was surprised how many people I talked to were not aware of this specific topic so I figured I would shed some light for all.
To keep things simple, I will address the business and technical angles separately.
For those who want to skip this section, here is the high level summary:
Ransomware is rising [again] and is sadly becoming a booming business for the “bad guys”. I will spare you the definition, there are plenty of good articles out there explaining what it is. What I wanted to focus on was prevention.