And How They Apply to Modern Organizations
by Martin Banks, Managing Editor, Modded
Cybersecurity is a popular topic in public discourse. While spreading awareness and sharing best practices is certainly positive, so much dialogue can create confusion. Users and business owners looking for a starting point can easily get lost in the swarm of information.
To add another layer of confusion, cybersecurity is a continually evolving, often fractured field. What may be the best strategy at one time or for one company may not be recommended two years later or for a different business.
Considering all of this, it may be helpful to reduce cybersecurity down to five general, all-encompassing rules.
Defining the 5 Laws of Cybersecurity
Specific cybersecurity regulations and best practices vary widely. At least 38 states considered more than 280 cybersecurity bills and resolutions in 2020 alone. Since the specifics change so much between industries and locations, guidelines that apply to everyone need to be at least somewhat open-ended.
While specific threats and appropriate solutions may vary, some things are true across all of cybersecurity. These universal truths, the things that have persisted over years of change and across multiple industries, are where the five laws of cybersecurity lie. These laws are:
- Treat everything like it’s vulnerable.
- Assume people won’t follow the rules.
- If you don’t need it, get rid of it.
- Document everything and audit regularly.
- Plan for failure.
These guidelines are relevant to every company across every industry in every area. Each law will play out differently between businesses, but they form a starting point for any cybersecurity strategy. Here’s a closer look.
1. Treat Everything Like It’s Vulnerable
The first rule of gun safety is to treat every firearm like it’s loaded, and the first law of cybersecurity is similar. Attacks can come from anywhere, so companies should approach everything as if it’s a potential threat. That applies to incoming data, new devices, users, partners, services and programs.
Since cybercriminals are constantly adapting their methods, users can’t afford to assume anything is 100% safe. Even a trusted partner could make a mistake that jeopardizes a company’s security, in which case too much trust could become their downfall. This doesn’t mean that businesses should assume everything is hostile, but they should verify before trusting.
One example is restricting access so that users and partners can only access what they need. Another is requesting verification of a company’s cybersecurity before partnering with them. Not every user needs to take it to extremes, but the principle of verification before trust should form the basis of all cybersecurity protocols.
2. Assume People Won’t Follow the Rules
While every list of cybersecurity best practices is different, almost all emphasize the dangers of human error. Research shows that as many as 88% of data breaches are the result of human error. That figure has also remained high for years, despite increasing emphasis on employee training, so education alone isn’t sufficient.
People often pick convenience over security, even if they know better. Complacency is part of human nature, so cybersecurity professionals should assume that users won’t act as they should. Of course, this doesn’t mean companies should abandon cybersecurity training. They should establish clear protocols, then plan for users going against them.
Since mistakes and ignorance are so common, cybersecurity systems shouldn’t fail when someone breaches protocol. Instead, it should be as challenging as possible for a mistake to jeopardize security. If cybersecurity professionals assume people will adopt unsafe practices, they’ll design more resilient systems.
3. If You Don’t Need It, Get Rid of It
Another persistent cybersecurity issue across industries is the prevalence of unnecessary systems, devices and programs. Cybersecurity is complicated, and it grows increasingly complex as the world embraces more technology. Businesses can mitigate this complexity by purging any unneeded assets, reducing their attack surface.
Securing every device and software solution in a workplace takes time, effort and money. The more there is to secure, the more complicated this will become, raising the risks of errors and oversight. If businesses removed any assets they don’t use anymore, they would make cybersecurity a much more straightforward, affordable endeavor.
The dangers of legacy systems became painfully clear in 2020. An exploit in Accellion FTA, a 20-year-old file transfer system, put more than 300 victims at risk. Relying on obsolete technology opens up a world of vulnerability, so businesses need to purge what they don’t need.
4. Document Everything and Audit Regularly
Understanding what’s necessary and what isn’t can be challenging, especially in a larger company. That’s why the fourth law of cybersecurity is to document all policies, devices and changes, then audit them regularly. Without thorough and regular documentation, teams won’t know where their vulnerabilities lie.
Every time a company adds a new device, downloads an application, amends a policy or makes any other changes, they should record it. Otherwise, they could forget about it, overlook updating and securing it, and accidentally create a vulnerability. This step will help abide by the third cybersecurity law and reveals how to improve.
Of course, documentation alone is insufficient. IT teams should also regularly audit their systems to look for oversights, legacy systems and other areas that deserve attention. As many as 95% of cyberattacks are preventable, and regular audits will reveal weaknesses that security professionals can patch.
5. Plan for Failure
One of the only constants in cybersecurity is that systems will fail. Users will always make mistakes, and hackers will always find zero-day exploits to get past defenses. Cybersecurity professionals should do all they can to prevent attacks, but they also need a plan B.
Every business should have protocols in place to mitigate a data breach should one occur. These typically include backups of mission-critical systems and data and a way to inform any affected parties quickly. The specifics will vary, but the core idea remains the same: breaches shouldn’t compromise an entire system.
In 2020, 25% of global organizations reported that server downtime would cost between $301,000 and $400,000 per hour. That level of expense would spell disaster for many companies, so business continuity is a must. If businesses had a plan for when systems fail, they could mitigate these costs.
Go Beyond the 5 Laws
These five laws of cybersecurity form a starting point for any company, regardless of size, industry or area. They’re not a conclusive list of best practices, but they provide a roadmap for more specific cybersecurity protocols. If anyone’s unsure about how to start or where to go with cybersecurity, they can turn to these foundational rules.
About the Author
Martin Banks is the founder and Editor-in-Chief of Modded. You can find his writing all over the internet. He covers tech, gear, cars, and more.