As humans, we’re remarkably predictable. That’s why gym memberships rise in January. It’s why almost every magazine focuses on health. And, it’s what cyber criminals rely on. Human predictability.
The elite cyber criminals know human behavior better than most, and exploit those behaviors very effectively.
That led me to think about NYRs and a new class of NYR – the healthy cyber secure lifestyle. Most particularly, a healthy cyber lifestyle for public agencies and organizations.
The parallels between a healthy human lifestyle and a healthy cyber secure lifestyle are uncanny:
|
1) Get a physical – A physical is a comprehensive assessment of the good and the bad, administered by a professional and a team of experts that know what a healthy body looks like. A good professional will provide specific recommendations for improvement. |
1) Get a risk assessment – A risk assessment is a comprehensive assessment of the organization’s people, policies and technologies. It identifies the good and the bad and makes recommendations for improvement. |
|
2) Start a plan – the first step to a healthier lifestyle is to develop a plan. Set goals, make commitments, take action. And, spend money. |
2) Start (or improve) a security plan – if you don’t have a plan, start one. If you do have a plan, revisit it for improvements. |
|
3) Establish milestones – If you want to lose 10 pounds (or 110 pounds), you set goals to let you know you’re making progress. |
3) Establish targets – you establish target objectives, such as having a policy about “X” in place by a certain date. Or, you’ll have a certain technology deployed by a certain date. |
|
4) Set a budget – get a gym membership, join a healthy food club, hire a trainer. Somewhere along the way, if you’re serious, you’ll spend money to achieve your goals and milestones. |
4) Set a budget – invest in people, spend money to create policies, purchase technologies. Invest intentionally in such a way that your plan (step 2) is progressed as a result of your spending. Tie expenditures to expected results. |
|
5) Measure results – Weigh in, get a blood test, measure your waist. Do something that measures whether your goals, milestones, and investments are paying off. Are you lighter? Are you stronger? Are you more fit? |
5) Measure results – establish measurements that prove you’re doing the right thing. If you invested in a technology to reduce email threats, you should be able to quantify the results. |
|
6) Make adjustments – don’t be afraid to take corrective action. If the diet isn’t working, change it. If the gym isn’t working, change it. Adjust with intent to get back on track. |
6) Make adjustments – If you’re not getting measurable results, take corrective action. Reassess, make changes, re- establish, but keep moving forward. |
|
7) Repeat – It’s seldom that people on a healthy lifestyle for 2018 will just stop. They’ll get another physical, find areas of improvement and continue the process. |
7) Repeat – a cyber-healthy organization will re-evaluate, re-assess and re-invest in 2019 and beyond. It is, after all, a lifestyle. |
A healthy human generally costs less to operate than an unhealthy one. Any benefits department would probably agree, and maybe even add to that thought. Healthy people are less sick, have higher attendance and are generally better able to contribute to the organization(s) they support.
Similarly, cyber-healthy organizations spend money, can measure success, and are less likely to come under attack than un-healthy cyber organizations.
We don’t get to choose whether we associate with germ-carrying people (unless you’re Howard Hughes and can afford to live in a bubble). As such, our healthy human lifestyle will come in contact with unhealthy humans. And, we’ll survive. The same applies for a cyber-healthy organization. They will come in contact with hackers, spear-phishers, ransomware, and other cyber “diseases.” And, they will survive.
Happy New Year’s Resolution to you. May your life and your organization enjoy a healthier 2018. It’s time to act. To help you get started, my colleague Jacob Hill at AT&T Security has outlined The 4 Levels of Cybersecurity Readiness.
Patrick Robinson is an application consultant for cybersecurity services at AT&T Global Business.
