Security is everyone’s responsibility.
That’s it. That’s the whole point.
(I may be spending too much time with Leon, but it had to be said.)
If you have a security team, or even just one person who is tasked with security, it’s easy for the rest of the team or department to fall into a trap, thinking there’s nothing more you need to do. You’re wrong. Every individual can do something to improve their own security posture which will, in turn, improve the company’s security posture. People are one of the greatest risks for any company due to negligence, human error, inefficiencies, etc.
That’s not me saying, “It’s the user’s fault.” Quite the opposite. That’s me saying, as IT practitioners within the organization, you—individually and collectively—have unprecedented levels of access and privilege. So, you’re a prime target. In fact, you live in the most fragile of glass houses when it comes to discussing responsibility for people-based security breaches. So, make sure that glass house is in order.
All personnel should be regularly trained, and many companies have a regularly required security training. As an individual, though, make sure you are practicing those techniques. Every person at a company presents some amount of risk to security from the custodial staff to the CEO. I can feel some people scoffing, but when you think about what people have access to—maybe even without them knowing it—you start to get an idea of risks involved. Which brings us to…
Step 1—Personal Risk Assessment
Since we’re talking about you as an individual, this would be an assessment of risk based on permissions you have, device access, building access, etc. Some of those things you won’t alter because you need them to perform your job, but you should be aware of the potential risk, so you can consciously ensure you’re taking steps to reduce risks in those areas.
Step 2—Least Privileged Access
Work with your coworkers to ensure you have the least amount of privileges you need to get your work done. Need more permissions for a specific one-off task? Request a temporary elevation of permissions and notify them when the task is complete, so the permissions can be reverted to the least required. I can see some friends of mine shaking their heads, cursing security, and saying they don’t have time for that and it’s a painful undertaking. To them, I say, “So, what?” Budget the time for the required permission changes into your tasks.
Step 3—Don’t Take It Home
Now, this I realize is unreasonable in the reality of working from home. What I mean, though, is don’t transfer work to your personal devices. Don’t take screenshots on your phone, don’t take a flash drive with secure documents home if you can help it, don’t click links in emails unless you’re positive they’re safe, don’t…don’t…don’t… I could go on. DO pay attention to those briefings on security and do your part. As I mentioned, this isn’t always something you can avoid. So, when you can’t avoid it, DO treat your home as a remote site. Look at the entirety of the security posture—internet router, firewall, etc.—through the same lens you’d evaluate a newly acquired site. Would YOU trust corporate data in your house? If not, start looking for ways to fill those gaps. I’m not saying buy a $300,000 rack of security gear. But there’s a lot that can be done for not a lot of money, especially in a home environment.
This is by no means a comprehensive list, but keep looking for ways to improve your own security posture. Raise awareness in others where you can.
I hinted about this earlier, but I want to be clear and direct because that’s what good security advice looks like. You may have sensed—or even heard about the heightened emphasis on security at SolarWinds. The catchphrase we’re using around the office is “Secure by Design” and what I’m writing about here is as much a part of that as any new patching cycle, certificate refresh, or code change we may do.
Secure by Design is something at SolarWinds which is both inward and outward facing. Outward, we’re more explicitly connecting our patches to CVEs and other risk assessments, so our customers understand the importance of hotfix or upgrade beyond “addresses outstanding bugfixes, implements performance improvements, and new features.” You can continue to expect updates from us on further improvements to our security stance as we can share them.
Meanwhile, inward facing actions include changes to both individual and group processes, so we can leverage everything we’ve learned since December 12.
But you, the individual, are critical to the success of this plan. You need to take security as seriously as we are, or none of our efforts are going to matter much.
Just like this pandemic, it’s important to do your part.