If you think your network is safe from being breached, unfortunately you’re wrong. Despite the qualified people you’ve hired and all the money you spend per month on various hardware, software, services, etc. your employees have to be constantly vigilant and never make a mistake. In the zero chance that happens, your organization is still susceptible to software written by humans, which will inevitably have flaws. Until these flaws are known and can be remediated, these vulnerabilities are completely out of your control. What are you to do?

Why your network, assets, and data are at risk of a breach

The attempted protection of your network happens every single second of every single day. And that protection has to always be right. A bad actor, digital miscreant, hacker, call them what you will, these individuals have to be right only once. These bad actors tend to have two resources at their disposal that your IT team can’t defend against: time and patience. With Metasploit modules available the bad actor doesn’t even need to be proficient in the technical reasons why a certain exploit works.

But with time and patience, and enough poking and prodding, they will eventually exploit a flaw in your network. An employee will click on a link in an email, someone’s out-of-date Internet browser will be attacked via a compromised website or a simple malicious advertisement (malvertising), or your IT team will miss several computers during monthly patch management. All of these flaws in your network happen frequently and perhaps more than you realize.

The challenges of protecting against a breach

For some organizations, lack of strong IT leadership is the issue. How much risk is your organization willing to accept by taking on a new IT directive from the board of directors if your IT team already can’t cover the basics of IT management? You’re not just asking for a breach, you’re asking for multiple violations of GLBA, HIPAA, SOX, GDPR, CCPA, just name it. IT leadership needs to be able to balance creating a project roadmap that synergizes with the current staffing constraints to ensure basic cyber hygiene is still conducted.

As is the case with many organizations, IT head count isn’t sufficient for all the tasks asked of your IT team. Chances are a majority of your business relies upon a healthy and functioning network. So why not treat it like a living thing? A network, assets, and data all need proper attention and maintenance, which takes time from your personnel. One of the best ways to manage those limited resources, time and personnel, is with efficient documentation. Which leads into the next point.

Some challenges revolve around poor policies and procedures. Document lifecycle management is all too often overlooked from entry level employees to the C-suite. If all of your departments aren’t reviewing policies and procedures at least annually then you should have a great business justification as to why. Otherwise, assign someone to be the document owner, create a review schedule, and create an approval/acceptance process. Then create PDFs of all policies and procedures and set proper access permissions for all employees that need access to them. For the working document, place those files on a network drive that is restricted to only the individual responsible for the document. This method enforces principle of least privilege: only those that need to read can read, and only those that need to edit can edit.

What you can do to reduce the chance of a breach

I am a firm believer in not abandoning the basics. Ensure accuracy of your asset inventory, monitor devices on your network to verify they are compliant, frequently scan for known vulnerabilities, remediate known issues in a timely manner, and protect your devices while on-network or remote. It really is that simple.

If your organization’s IT department is a bit more mature, you have a document review lifecycle, a well thought-out patch management lifecycle, a proper device onboarding process, a solid idea of where all of your data lives, you are efficiently using the hardware, software, and other services you pay for. Your IT personnel are reporting relevant and actionable data, not generating reports for the sake of generating reports.

Remember, it’s not if, but when your organization suffers a breach. Plan your network design and your organization’s incident response around that fact and you’ll be much better prepared to handle a breach than if you naively thought it would never happen.