• United States




Resolutions for a secure new year

Jan 02, 20185 mins
Risk ManagementSecurity

Examining what we have learned about risk awareness, or should have learned, in 2017, which we can resolve to put into action in 2018.

puzzle tower / growth / achievement / risk / balance
Credit: Thinkstock

Once again, we have been deluged by articles predicting what we should expect in the world of cyber security in 2018. While I don’t intend to demean my fellow authors, I have a strong dislike for such articles. I have found in the past that they are either filled with predictions about trends are already happening, which hardly require any skill to foresee, or wild guesses, which are not much better than the result of rolling a 20-sided dice.

I try to offer an alternative approach this time of year, so, rather than trying to use my weak crystal ball skills to figure out 2018, I have decided to use one of my better abilities, 20/20 hindsight, to examine what we have learned, or should have learned, in 2017, which we can resolve to put into action in 2018.

Resolution 1: it’s the patching, stupid!

Borrowing a popular political expression, one thing we should have learned in 2017 is that we need to work on is our patching efforts, or perhaps the lack thereof. The WannaCry ransomware worm should have focused our attention on the importance of patching, but based on the success of NotPetya, which followed, many did not get the message. Bad Rabbit came next, and still managed to find many unpatched systems. And still, I personally run into many systems that continue to show the same underlying vulnerability.

If that is not convincing enough, you need look no further than Equifax. Their empire was shaken after the loss of data on more than 143 million US consumers, all for the lack of a simple patch.

As I have said before, patching is hard. New patches are released faster than we can keep up with them, and our users get positively grumpy when we take systems down to apply them. That being said, we have no choice. We must resolve to develop a plan, put it in place, and stick with it.

Resolution 2: physician, heal thyself

It is unlikely that any system or network exists without a vulnerability. It is futile, however, to just sit around waiting for some bad actor to find them. Instead, we need to find them ourselves, before we discover that the bad guys found them months ago, and taken up residence in our network.

Self-discovery is often unpleasant, and certainly time consuming, but it beats the alternative. You can accomplish this in a variety of ways, including penetration tests, either using a firm specializing in this service, or your own “red team”, a group of your own people that attempts to breach your defenses, using the same approaches a hacker would. Whichever approach you choose, be aggressive with it. The hackers will not take it easy on you for fear of interrupting your operations, so neither should you.

Resolution 3: make all of your employees part of the security team

The individuals and organizations attempting to penetrate your network usually go after your weakest link, which is often your employees. They frequently do this using social engineering techniques or phishing, which is particularly dangerous. According to Verizon’s 2017 Data Breach Investigations Report, “1 in 14 users were tricked into following a link or opening an attachment — and a quarter of those went on to be duped more than once. Where phishing successfully opened the door, malware was then typically put to work to capture and export data—or take control of systems.” 

The solution is to make all of your employees part of your information security team. You start by establishing a culture of security, ensuring that everyone understands their part in keeping the company safe, and the consequences of not doing so. This is reinforced by an ongoing security training program, and phishing and social engineering tests.

Unfortunately, we humans will likely always be the weakest link in any security design, so any effort to address this weakness will bear fruit.

Resolution 4: seek safety in numbers

I doubt that any hacker achieves significant success alone. They tend to work in groups, or share information with each other. One of the major concerns we face today is state-sponsored security attacks, involving a government generating such attacks.

There is one aspect of their techniques we can learn from — uniting our collective efforts to achieve more than we could individually. We can do this by sharing threat intelligence and participating in groups such as Infragard or an Information Sharing and Analysis Center (ISAC).

I was working with a major hospital system at the time of the WannaCry attack. The ongoing information received by various information security sharing organizations, particularly NH-ISAC, helped my team and I stay ahead of the crisis.

Resolution 5: choose to be an optimist

As I suggested in Don’t let the security hype get you down, it is important to maintain optimism and objectivity when fighting daily against the bad guys. It is easy to get discouraged by all of the bad news, and the hype about it, but if we assume we will lose, that will become a self-fulfilling prophecy. Instead, we need to start every day with a renewed belief that we can win the battle. I am convinced that we can and ultimately will prevail, so I see my daily efforts as not in vain.

Bottom line — I choose to wait and see what 2018 will bring, rather than trying to prognosticate the likely events. Instead, I will focus on learning what I can from industry experiences in 2017, and using that to improve my security performance in 2017. I hope you will join me in this approach.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author