Nearly everyone has spent some time in a vehicle, on a highway, driving somewhere. It is an innocuous event; you get in, buckle up, put the car in drive, and go. Everything is fine as you putter down the highway, enroute to your destination.
Now let’s delve a bit deeper into this experience. You’re on a highway with vehicles going varying speeds. The vehicles are a variety of shapes, sizes, and worst of all, conditions. If you’re on an enjoyable country road, it might feel relaxing until you realize the only thing separating you from oncoming traffic is a yellow line painted on the road a decade ago and the hope that the person driving the 1992 Chevy Cavalier with a missing headlight isn’t, at this very moment, tweeting about how beautiful the leaves are this time of year to their nine followers.
This is a perfect analogy for using any sort of internet connected device in 2022. Everything feels pleasant and relaxing, until you really start to think about the potential consequences. Driving a car is a responsibility, and likewise, so is using a computer.
IT Security is an entire industry dedicated to reducing the risk associated with these new and increasing threats, and from the outside, it is frequently seen as mysterious and scary. I would love to stay away from using the word fear, but it is so engrained in the enterprise that I just cannot. IT Security Incidents have the potential to cause significant financial impact to businesses.
As a result, there is an ever-present tendency to stray further and further from accessibility because of perceived and potential risk. I often hear phrases like “I never scan QR codes” or “I never open attachments” when people are proclaiming their Information Security prowess. People are more connected today than they have ever been, and because of maintaining access to all that information, everyone is also more suspicious.
So, think back to driving. Have you ever heard the phrase “Defensive Driving”? Defensive driving isn’t about avoiding driving on certain roads, it’s about risk mitigation through simple tactics and methods. Maintain distances, monitor the cars around you, always know where you would put your car if someone near you made an ill-advised move.
This is the aim of IT Security training. It is not to avoid systems altogether, but to instill confidence in users that they can identify threats. Is this QR code in a bathroom stall at a rest stop on the NY Thruway, or is it nicely laminated onto the table at your favorite restaurant? Is this attachment being sent from an unrecognized email address and does it end in “.exe”? Did the link I clicked on ask me to install something?
Being able to quickly discern potential threats helps to define the risk. Informed users that can know the signs to look for as well as know how far they can get before it becomes dangerous are the end-goal. Information Security is an industry littered with wrong way, distracted, inexperienced drivers that all seem to be aiming at you. But as long as you utilize the defensive tactics you’ve been taught; you can confidently navigate your way to your ultimate destination.
McKonly & Asbury can assist your company in managing cybersecurity threats by performing a SOC 2 engagement or a SOC for Cybersecurity engagement to identify whether effective processes and controls are in place and provide you with recommendations to detect, respond to, and mitigate and recover from breaches and other cybersecurity events. Please reach out to David Hammarberg leader of the firm’s SOC, Cybersecurity, Forensic Examination, and Information Technology practices. We can answer any questions and help you determine if a SOC 2 or SOC for Cybersecurity report would be useful for your company.