All I really need to know about cybersecurity, I learned in kindergarten

I’m often asked which of the latest headline-making technologies should organizations be concerned about? Or what are the biggest threats or security gaps causing IT and security teams to lose sleep at night? Is it the latest AI technology? Triple extortion ransomware? Or a new security flaw in some omnipresent software? 

And I reply that the truth is that breaches — even big, expensive, reputation-tarnishing breaches — often happen because of simple, mundane things. Like buying software, forgetting about it and neglecting it to the point that it’s not patched and ready to be exploited by a threat actor, making your company the low hanging fruit. 

Nobody likes to brush their teeth and floss. But it’s that type of basic personal hygiene that can save you thousands and even tens of thousands of dollars in the long run. Cyber security hygiene is no different. Rules like “clean up your mess” and “flush” are equally critical to maintaining a ‘healthy’ security posture.  

So as many head off on holiday break, I thought I’d share some hard-learned, easy-to-understand rules from my 25 years of managing cyber security teams. Inspired by Robert Fulghum’s book, All I Really Need to Know I Learned in Kindergarten, this advice is equally applicable to novices and industry veterans entrusted with their organization’s day-to-day IT and security operations.

1: Flush…and clean up your own mess

In IT operations and maintenance, as in personal hygiene, you’re responsible for cleaning up after yourself. If you buy a piece of software, don’t let it stand and rot in a virtual corner. Make sure you have an established routine to keep informed on the latest threats, run regular vulnerability scans and manage the patching of your systems (including networks, clouds, applications and devices).

2: Trust but verify

When it comes to colleagues, your direct reports, vendors you’re doing business with and even customers, we all want to trust the people we interact with. But can we? In the age of quick online transactions, whether social or enterprise-related, err on the side of caution. Verify the person you’re dealing with is real, that backgrounds check out and get references when you can. Trust but verify. 

3: Look and pay attention

Incident management might feel laborious and mundane. But security incidents, like a suspicious email or phish-y link or shady executable aren’t a big deal until they become a big deal. With stealth mechanisms meant to keep things quiet and ‘boring,’ it’s all the more reason to take a good look when something doesn’t smell right.

4: If you buy something, you’re responsible for it

No one will write a poem about the beauty of software lifecycle management. Still, whether it’s cloud products like IaaS or SaaS applications, you need to make sure your products are being maintained, updated and patched. It’s just like buying a car: You buy insurance, get your tires checked and get an inspection sticker to certify it’s ‘drivable.’ In IT, if you buy it, make sure it’s maintained and in good shape. 

5: Take comfort in someone or something

We all need a way to unwind — even more so if you’re in a high strung IT/security job. Opt for a way to let off some steam that doesn’t compromise your health. (Here are some of my favorites: Music, warm tea, a long walk, hot chocolate, friends, naps, my preferred video channels.)

6: Don’t take things that aren’t yours

If you’re in a position to access or even exploit other systems or someone’s data as part of your incident analysis and investigation work, remember to play by the rules. Stay on the right side of the law. Don’t take offensive security measures and don’t retaliate. And don’t take things that aren’t yours. 

7: Play fair, don’t hit people

Other companies and vendors will mess up. Stay respectful on the internet. And mind your comments. (Or how a friend once put it to me: “You have to say what you mean, and mean what you say. But never be mean.”)

8: When you go out into the world, watch out for traffic, hold hands and stick together

When you’re handling a high-severity incident, it may be easy to forget about the people on your team. Remember that humans are the weakest links. As your team races against time to get to the bottom of an attack and stop it, remember that you can only push people so far before they break. I’ve seen workers have a mental breakdown, owing to the psychological weight of an incident. So, when you head out into the wild, be there for each other and support your team.

9: Share everything, including knowledge and training

If you hire staff, you need to educate them. Whether they’re the SOC team or Sally from HR. Everyone needs to know the rules. Make sure you’re running regular awareness training. And if you have a security operations squad, set regular table top exercises, such as red team-blue team contests and breach and attack simulations.  

Dan Wiley is head of threat management and chief security advisor at Check Point Software Technologies.