Earlier this month I had the opportunity to present to the Oregon Government Finance Officers Association on a panel with the FBI, the CIS from University of Oregon, and a lawyer. I've heard the guy from the FBI speak before and it's always enjoyable, but as I was listening to him this time I realized something that caught me off guard: The malware breaches that they have to respond to started with really simple ways that we all know how to defend against. Simple. Like a black cup of coffee, no fru fru.
Like it or not, the way businesses are compromised initially is still pretty simple: human error. These are errors in configurations (sometimes) and errors in judgement (mostly). Most of the judgement errors are spam emails that people erroneously think are legit and so they respond to them, either with a reply or with a click.
So, what can you do? There are technical things that you can do for sure, but there are also a lot of non-technical solutions you can deploy right now to help your business… and to deploy those, you don't have to be techy. Here they are:
- Train your people
- Consider videos or pre-built trainings so you don't have to build the outline yourself.
- Train them to pay attention
- Train them to not trust email
- Make a team that's responsible for your cyber security
- Regularly meet with that team to talk about your plan, and how to improve.
- Consider these things for your plan:
- Deploy Multi-Factor Authentication where you can
- Deploy a password manager.
- Deploy a patching policy.
- Train your people some more
None of those things require you to be a nerd, they just require you to pay attention. If you will do some simple things and be faithful to do them year in and year out, you will drastically reduce your likelihood of falling victim.
I'm still pondering the fact that a lot of cyber security really isn't that complicated. It's probably like raising children, it's not complicated, it just takes time, attention, and consistency.