Security Table Stakes - Some Important Bare Necessities

post thumb
Foundations
by John Svazic/ on 08 Feb 2021

Security Table Stakes - Some Important Bare Necessities

When it comes to securing an organization, I’ve heard all the excuses: “We’re too small; nobody is going to attack us.” “We don’t have the budget for doing this stuff.” “We need to focus on our product/deliverables, not chase some boogeyman!” I get it, cybersecurity isn’t the top priority for most organizations, but that doesn’t mean that you can ignore it altogether either. At the same time, it doesn’t have to be intrusive or challenging to get to what I consider “table stakes” for any organization of any size.

Before We Begin

Before I start to dive into what I consider the fundamentals for organizations, I want to make sure that you and I are on the same page regarding cybersecurity. First, cybersecurity initiatives of any type are going to be an investment. Cybersecurity is a cost center; it will not directly increase your profits. However, having decent cybersecurity hygiene may help win you more security-conscious clients, which will affect your bottom line. The trend for organizations of any size asking about cybersecurity practices at their vendors is growing. Even consumers are asking more questions about cybersecurity with the apps they use daily. These facts lead to a significant trend - cybersecurity will help differentiate you and your business from the competition.

Defining Table Stakes

Table stakes refer to the minimum requirement for entering a specific market or business arrangement. That is to say, this is the minimum that you need to do to be considered a viable entity in the market.

So when I refer to table stakes for cybersecurity, I mean the minimum effort that any organization needs to do to protect itself against cyber attacks.

I want to stress that this is the minimum, so that doesn’t mean this is all you do. I hate to use this analogy, but learning to crawl before you can walk is the equivalent of what I’m referring to here. Sure, you may eventually get to where you want to go, but it’s not going to work out in the long term.

Table Stakes In Cybersecurity

Let’s dive right into it:

  1. Enforce 2FA on all systems, from social media to email.
  2. Make use of a password manager.
  3. Make patching systems a part of your life, from operating systems to browsers to phones.
  4. Install some type of antivirus software.

See? Nothing too radical here. Let me dive into each of these separately so I can share some more details for each one.

Enforce 2FA Everywhere

Enabling 2FA is the first thing I tell any new client. 2-factor authentication is incredibly effective at securing your accounts. Google had a great report on how effective multi-factor authentication was at protecting email accounts, and this effectiveness is equally applicable to other types of accounts such as social media accounts. If 2FA is available for a tool/service/account, then turn it on.

Generally, the push back against enabling 2FA is that it’s an extra step, and it slows people down. However, this isn’t always true as most email providers (GSuite and O365 included) will generally only prompt you for your 2FA token only when you’re logging in from a new computer, a new country, or something else that is outside the “norm” for you. Other services that prompt you every time are generally more “sensitive” in nature, such as your cloud provider, and you do want to have that extra step in place to keep the bad guys out. Trust me, the minor annoyance, when you do run into it, is much better than trying to deal with the aftermath of a security breach.

Use A Password Manager

Password re-use and shared passwords are some of the most common reasons accounts get hacked. The problem is that humans are terrible at remembering a lot of passwords! We may have between 1 and 3 passwords that are “secure,” Then we have a throwaway password that we use for sites we don’t view security as necessary. The best practice is to use a unique password for every website, which is where a password manager comes into play. You only need to remember 1 password, cutting down on the need to recall a bunch of complicated passwords.

Some common complaint with this suggestion is cost and complexity. Let’s look at the price argument first. While some enterprise password managers can be expensive, there are some cost-effective alternatives out there. BitWarden is an excellent password manager that is open-source, cost-effective, and supports 2FA. At the time of this writing, they have business plans starting at $3 / user/month or $36 / year/user. There are other password managers out there for sure, and I’d be happy to chat more about them, so feel free to reach out if you want to have that conversation.

As far as complexity is concerned, the vast majority of password managers have browser plug-ins, mobile applications, and even desktop apps. If you can write a password down in a book, you can use a password manager. They are exceptionally user-friendly, and once you start using them, you’ll find them invaluable.

Patching Is Life

Patching software is essential, regardless of what kind of software it is. From operating systems to mobile phones, to browsers - patch your software. Patches often contain security fixes, which will help prevent those nasty attackers from making their way into your personal and private data. Google has had a spat of patches recently for its Chrome browser that fixed some serious flaws, and sometimes those patches can happen weekly.

When it comes to patching, the standard arguments are that patching takes time and interrupts the workday or concerns that the patch will be “bad” and cause more harm than good. These are both fair points, which is why you shouldn’t just blindly apply patches but have a patching process. Have your IT team check a patch before pushing it out to users or asking them to install it. For browsers, patching is as simple as applying the patch and restarting your browser - 30 seconds or less on average. Browser patches are generally safe and don’t need to be vetted, likewise for mobile phone apps and OS updates. However, when it comes to updating a laptop or desktop, yes, you will want to do some testing before you upgrade. The latest OS update from Apple (11.x, a.k.a. Big Sur) is an excellent example of this. The update was a fundamental shift and ended up breaking several applications, especially security applications. Thankfully Apple still provides patches for earlier versions of their operating system, but this is worth considering.

Patching is vital, but it shouldn’t happen in a vacuum. Have a plan, and only apply patches from trusted sources. That random website that says you need to upgrade your Flash player before you can view the content is lying to you.

Install Anti-Virus Software

This last point is one of my favourites, if only because it generally turns into a type of “holy war” amongst more technical folks. Anti-virus software is a mixed bag of great and awful experiences. I honestly wish I could point to a single vendor that would work for everyone, but I do not know of one to date. My advice here is to start with a well-known brand, such as BitDefender, and see how it impacts your day-to-day operations. The right anti-virus solution should work quietly in the background and shouldn’t affect your computer as you perform your daily tasks. At the same time, it should stop known threats and keep your machine safe from commodity malware.

More technical folks will argue against the need for anti-virus software. They’re the ones who never click suspicious links, they never download attachments, and they don’t want any software “gumming up the works” on their computers. Nobody is infallible, and having some protections as a safety net should not be up for discussion. While this one can be more of an investment in terms of finding software that works well for your particular business, it is still something I would consider “table stakes” for any business, even if you only use Apple products.

Next Steps

Will you be safe from attackers if you do everything on this list? No, but you will be significantly better off than if you didn’t do any of these things. This list is just the bare minimum to keep those less-than-sophisticated attackers away from your business, and even some of the more persistent ones. Once you are complete with this list, I would implement a good security program for the organization. That’s for another blog post for sure, but it will help provide you with some structure and help get you to the next level in cybersecurity hygiene.

– John


At EliteSec, we can help you build, plan, and execute a security program that makes sense for your organization. From vCISO services to vulnerability assessments, threat modelling, and penetration testing, EliteSec can help secure your organization. Are you looking for a second opinion on your foundations for security? Contact us today, and we will give you a quick 30-minute review at no cost.