Security Wants To Be Free

Not all security needs to come with a price tag, and organizations shouldn't give up on becoming more secure because of cost concerns. A lot of security comes down to education, mindset, and taking advantage of the security built into products and technologies that you already own.

Note: This is the first in a series of articles, focusing on general security philosophy. Part 2 of this series looks at practical steps that can be taken to increase your organizations IT security posture.
Part 2 is available here.

IT Security in an organization often gets neglected in the name of day to day business. This is, unfortunately, all too common, as businesses have their hands full with regular operations. One reason for this is that the market is awash with security products, and they are often quite expensive. And there can be a hesitation to spending that kind of money- or any money at all. After all, the accountants might say, new software costs money now, and security breaches don't cost money until they happen.

Neglecting your IT resources is a huge risk. Everyone knows that the COVID-19 pandemic caused cases of cybercrime to explode. But this is just a high-profile symptom of a problem that has been increasing for a long time. (How long? Long enough that companies such as Intel and McAfee have been reviewing the increasing cybercrime landscape since at least 2015.)

But even with all of that doom and gloom, IT security is not a lost cause. And it doesn't have to break the bank, either- Here are a few low- or no-cost IT security strategies that can help improve your security posture.

Embrace a Security Mindset

If you want to be secure, the first thing to do is work on consistently thinking securely. This mindset should be encouraged at all levels of your organization. Each product, process, technology should be looked at not just from a business objectives perspective, but from a security perspective as well. Thinking securely means asking follow-up questions about how a new thing protects confidentiality, integrity and availability, e.g., "This database will organize all of our customer data- but how does it keep that data secure?" Sometimes a lot of research will have to go into getting a satisfactory answer to that question, but it is in your best interest to get those answers before making a change to production.

Defaulting to thinking with security in mind is important for two reasons:

  1. Constantly thinking about security philosophy will make it easier to identify problematic technologies or business processes, and,
  2. A security mindset will make you and your users feel more comfortable/accepting of change- if that change makes the organization more secure.

Security can also be thought of quantitatively. Recognize that cybercrime is a real risk to your organization, and come up with a financial cost model for that risk. What would the harm be to your business if you were hit with ransomware, or your website were defaced? What about if your customer data (or your own business financial data) were stolen and sold online? These are some of the most common consequences of breaches resulting from inadequate IT security. Much like an earthquake or a hostile takeover attempt, there is a way to assign a dollar value to these kinds of risks.

Understand The Threats That Exist, And How To Protect Against Them

This is the education that underpins the aforementioned security mindset. The goal here shouldn't be "become a heavily-credentialed IT security ninja." The goal is simply to:

  1. Stay up to date on current security threats, Understand the different (and evolving) types of attacks that exist in the wild, such as malware, ransomware, phishing, and social engineering.
    There are a multitude of free news outlets that will keep you and your security team current. One example is SANS, who offers three free newsletters to help keep you informed about the latest goings on in IT Security. SANS is education-focused and vendor-agnostic, so you'll never be pushed towards a purchase.
  2. Understand the vulnerabilities that exist in your systems and how to patch them
    Basic, regular system patching is your best first line of defense. Major manufacturers are very good (not perfect, but good) at updating their products- remember, they don't want to make the news because their products are insecure either.
  3. Educate your users on how to protect themselves from common attacks
    See above on mindset. The importance of IT security should be an organization-wide, constantly reinforced, message. While most of this article is based on low-cost or no-cost solutions, user education is one point where it is worth seriously considering paying for good, quality training. An employee base that has a thorough grounding in common cybersecurity risks like phishing will be that much less likely to expose your organization to that risk.

Define In Policy What You Will Be Doing - No Exceptions

One of the most powerful things a company can do in order to encourage a security mindset is to mandate that mindset from the top. The CEO being on the team that presents a robust security policy for IT security shows that the policy is important. The policy needs to be specific to your company, too- a template is a great place to start, but take time to fine-tune it to your company's specific needs. This policy should be regularly referenced and updated (and employees should be evaluated based on their adherence), and most importantly, there should be no exceptions to it.

Far too often a policy will simply be copy and pasted from the internet into the back of a company's HR Handbook, and then never really implemented or discussed again. More dangerously, employees with power or standing in a company will complain about how 'hard' it is to follow the rules laid out in the policy, and ask for a personal exception. This is particularly dangerous when leadership does it- not only is it a guarantee that the rank and file will not take the security policy seriously either, but since leadership is often authorized to see far more sensitive data than most employees, a security breach at their level is even more catastrophic.)

To summarize, the rules that you set in place have to be:

  1. Clearly defined and regularly updated,
  2. Tied to employee's behavioral expectations,
  3. Applied to everyone in the company - no exceptions.

Maximize Usage Of The Security Solutions You Already Have

One of the best ways to minimize the amount of money that gets spent on security is to make the most of the security built-in to the products and tools you already own. Often times a product is bought to do one thing- but if it does three things (and it does them well), that means that this single purchase can save you from having to make additional ones later on. We will talk about some of these in part two, but here is an example of ways to add security to Windows using built-in capabilities, for zero extra dollars:

  1. Enable Windows Defender
  2. Disable local Admin access
  3. Enable OS/Application rules that can make desktops and servers more secure
  4. Enable local firewalls
  5. Block/disable insecure software or protocols such as RDP

And there are some that are external to the servers/desktops, but can still deliver immense value for zero extra dollars:

  1. Fine-Tune your centralized Identity Provider rules
  2. Utilize a centralized Monitoring solution
  3. Utilize a centralized Logging solution

Note That By Saving On Dollars Spent, You Will Have to Spend Time

In this series we will be talking extensively about cost savings, and getting the most value for your money. However, as is often the case, there is a tradeoff. In this case, that means time. The systems I will be discussing will require configuration, management, and monitoring. These tasks do not necessarily have to add up to a full IT Staff, but they will have to be reviewed on a regular basis. Things like patching, for example, could be a weekly operation (sometimes more).

One of the benefits that is often touted by security products is the opposite message to this: 'Spend your money here, and forget about wasting time on this security issue! We will handle everything for you!' This is especially true for Security as a Service type offerings, subscriptions, and of course Managed Services (of course you will also have to invest time in researching the product or service to make sure they are worth the money- not all subscriptions are created equal). To a certain extent this is true. But it's still important to understand that, in order to be secure, your organization is going to have to spend one of these things: money, or time. Short of not using a computer, you will not be able to get something for nothing when it comes to computer security.

The balance is going to be different from one company to another. When you ask your staff to manage an issue, do they have time and expertise to do it? Similarly, when a vendor pats you on the back and says, 'Don't give it a second thought. We got this,' do you believe them?

But enough philosophy. In part 2 of this series we will discuss what about actual, tangible (and cost-sensitive!) steps can be taken to keep your business more secure.