Jeremy Tucci
Financial Services
October 2020
4 Min Read

Cybersecurity 101: Protect & Detect – Part Three

Now it is time to begin the search for security solutions that fit into the business.  The goal here is to understand categorically the controls that exist to provide insight as to the proper fit.  While many terms that get floated, there are three verticals to start.  These are strategically designed to work from top to bottom which is the simplest to the most complex.

Administrative Controls – these are often non-technical and can usually be the first line of defense and provide the greatest returns.  Mitigating risk can be as simple as writing a policy that is approved by management and enforced by compliance or HR.

Examples: Approvals, Checklists, Manuals, Policies, Procedures, Testing, Workflows

Physical Controls – these are as the name implies, providing real-world measures to the environment in which the business operates.  It is important to be mindful of not only the perimeter but also the people who access the space.  Typical office locations might be simple, but unique environments can present challenges.

Examples: Biometrics, Cameras, Fire Suppression, Keycards, Locked Access, Staffed Security

Technical Controls – these are usually the first thought when it comes to cybersecurity and can be the most complex.  This one requires further breakdown and some examples which may help with context.  The idea is to understand each one presents an independent entryway.

 

Entry Point Description Examples of Tools
Application & Data Application or website made by the business for public consumption

Files used by staff

Encryption/Keys
Endpoint & Mobile Computers used by staff

Mobile phones/tablets

Antivirus/VPN
Identity & Access Verifying the individual/staff member

Only information one needs to know

2 Factor Authentication
Messaging Communication mediums E-mail/Office 365/Slack
Network Office computer architecture Firewalls/Switches

 

The last thing worth pointing out is that in small businesses, there may not be the staff or resources available to perform this level of implementation.  There may be a managed service provider in place who oversees all the technology.  That does not prevent management from driving these conversations and understanding conceptually what is being done.

While this step might be the most technologically complicated and have the most moving parts, the primary focus is to create an understanding of the solutions for either reducing or eliminating the risks presented.  It is also worth looking at two or three comparable solutions, just like getting a quote for home renovations.  Everyone has a different angle in security which might change the original perspective or offer up new ideas.  Next, we will look at how to finalize decisions that might require budget approvals or significant changes to the existing business cadence.