Vowels of IT Security

Photo credit: dictionary.com

Before we talk about vowels of IT security, do you remember the good old elementary school days when we all learned the vowels in English? Great, that is what we will focus on today in the context of IT security. The Merriam-Webster dictionary defines a vowel as “the one most prominent sound in a syllable,” and the vowels are a, e, i, o, u, and sometimes y.

In this article, let us briefly touch on the most prominent or important items companies should pay careful attention to in terms of IT security and see how these items translate to vowels in English.

First Vowel of IT Security (A-Assess)

IT security evolves every day. The first step towards being secure is to “assess” the effectiveness of your company’s security policies. I have seen companies following security policies written years ago and never revised or re-evaluated. In today’s world, when new threats are imminent every day, not keeping your security policies current will only make you more vulnerable. Obtaining and maintaining your certifications from International Organization for Standardization (ISO), Sarbanes–Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS), etc., will ensure your company’s security policies are up to date.

Second Vowel of IT Security (E-Exercise Caution)

There are many ways in which we can exercise caution, including but not limited to the following:

• Multi-factor authentication: This is a multi-layered approach for securing systems by mandating a combination of two or more credentials before access is granted. This is recommended for most applications storing critical or sensitive data.
• Regular backups: Implementing a backup schedule based on data criticality and availability requirements.
• Ensuring that the backups are good: Testing backups by following a periodic restore test schedule to ensure the backups can be used to recover from an incident should there be a need.
• Encryption: Enabling encryption on hard drives, databases, backups, etc., to ensure data cannot be accessed by a bad actor.
• Use of strong password policies: Ensuring the passwords are common; is a combination of special characters, numbers, and upper-lower case characters so that it is hard to guess; are rotated on periodic intervals.
• Limit Access:
  • Role-based access controls: Defining access based on business roles.
  • Least privileged access: Providing only the required access to complete the job.

Third Vowel of IT Security (I-Identify)

The Cybersecurity & Infrastructure Security Agency (CISA) defines insider threat as “the threat that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the Department’s mission, resources, personnel, facilities, information, equipment, networks, or systems.”. As the definition goes, an employee doesn’t need to be intentionally causing harm; it could be as simple as clicking on a link in an email and unintentionally granting access to hackers. Businesses must identify what is considered sensitive data, where it is stored, how it is stored, and who all have access to it. Identifying both inside and outside threads is equally essential. Once identified, appropriate measures as detailed in the previous section, must be implemented.

Fourth Vowel of IT Security (O-Organize Regular Training)

In addition to implementing appropriate controls, spreading awareness is essential. Companies must organize regular training for all employees to ensure that they develop a security mindset. IT security does not need to be boring. Today, there are multiple platforms interactively offering training to ensure employee engagement. Remember, this training should be ongoing and must be completed again once new content is available.

Fifth Vowel of IT Security (U-Update your Software and Systems)

Software and system updates, also known as patches, provide fixes and/or remediation to known vulnerabilities that your system might be exposed to and helps in protecting your data. These updates oftentimes include performance enhancements and other bug fixes. All software and systems must be patched regularly on a pre-defined schedule to stay up to date.

Last but not the least “Y” (You are the security advocate)

Lastly, as a responsible administrator or employee, it should be your responsibility to ensure you are equipped with all the tools and training that are fit for the purpose. If not, as the famous saying goes, “if you see something, say something.” Raise your concerns within the organization, and spread awareness so that each employee can recognize a potential threat and the organization has a powerful line of defense!

Summary

In this article, we briefly touch-based a few key aspects of IT security and tied them together by translating them to vowels in English.