What Do You Know?
Riverbank Ruminations; Observations from The Banks of The Technology River
Tom Evans ~ Ashton Engineer Emeritus
When we are born, we know nothing. We react to our environment and start to learn, even before we leave the womb. Some lessons come with some difficulty: Yes it hurts when we touch the hot stove. Mother was right.
Our education intensifies when we start attending school. Here is one place where we get exposed to the idea that there are a lot of things we don’t know. We also get exposed to the idea that what we learn is best confined to what it takes to pass the test. That can come back to bite us very hard later in life.
If we are fortunate, we learn one lesson early on: We don’t know what we don’t know. A quick search will generate many images illustrating this idea. This is one example. I think the slice for “what you know” needs to be a lot smaller in comparison with the other two slices. There is so much we could learn about so many subjects that it boggles the mind to think about what we don’t know.
Let’s take these three categories of knowledge and see how they can be applied in the context of security.
What you know. I know I have 32 employees. I know I have purchased 40 computers for use in the company. I know our internet domain is reallygreatcompany.com. I know I worry about getting hit by ransomware. I know I bought a firewall to protect my network. I know I bought endpoint protection software for all my computers. I know what I have to do to pass the audit, and that is enough.
What you know you don’t know. I don’t know if all my computers are up to date with patches. I don’t know if all my computers have working endpoint protection. I don’t know if anything other than the computers I bought are connected to my network. (There isn’t supposed to be.) I don’t know how well my firewall is working, or if it is working. I don’t know if employees are taking files home and putting them on home computers. I don’t know if employees are using non-company computers on the company network.
What you don’t know you don’t know. Attackers have successfully penetrated your network and have been there for 2 months. (Not possible? Ask SolarWinds.) Most employees don’t know what will happen if ransomware gets on the network. Your firewall is not properly configured. Attackers are sending out spam emails and attempting BEC (business email compromise) attacks from your network. You will learn of this shortly when a customer is attacked.
The second class of lacking knowledge (What you know you don’t know) can be remedied fairly simply. Educate yourself and your employees about the risks and mitigations of cyber threats (security awareness training). Get help from a trusted advisor, someone who can educate and assist in the implementation of remediations. In many cases, when you recognize a lack of knowledge, you also recognize the risks associated with that lack and can assess the priority of removing that lack. Do you need someone to examine your network? Should they do a full penetration test? Can they help you document what is living on your network and where your traffic is going to and coming from? These are things you need to know. There are things your employees need to know as well. What is the impact of them clicking on a bad link? How quickly can the business recover from that kind of mistake? Would jobs be in jeopardy? Employees need reasons to be careful.
The third class of knowledge (What you don’t know you don’t know) is a little harder to remedy. When it comes to security (or any other area for that matter) you need to contact someone who has experience and expertise where you are lacking (in securing networks, perhaps). While they may not know everything, they are likely to know more than you do because, if they are worthwhile, they are investing time and effort to reduce the size of the “what you don’t know” segments of their knowledge concerning security. Threats are evolving very fast these days and yet, phishing in some form is still at the root of most compromises and breaches. SMB owners and managers don’t have the bandwidth to keep up, nor should they. They have a different mission, run the business for a profit. Getting the right security in place will help fulfill that mission.
There is a fourth class of knowledge that, to me, is more damaging than the two classes of “don’t know”. As Mark Twain once said, “It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.” Examples of this include;
- “My employees know how to recognize a phishing email.”
- “My employees would never send a wire transfer without checking that it was valid”
- “My employees would never email all our W2 information to anyone”
- “I know we have done enough to pass the audit, we don’t need to do more”
When we are sure of something, we see no need to worry about it. However, when it comes to security, this can be very dangerous. Things change constantly on the threat landscape. Employees come and go. Sally in AP would never do anything without getting three kinds of cross-checks. She retired last May and Fred, the new hire, is fresh out of college and has very little business experience. Will he be as thorough as Sally? You added 500 square feet of office space and have wireless everywhere. Now it is in the parking lot as well. Is it secure? You have added several IoT devices to the network. Are they secure? Things change. Every time something changes, what we knew for sure becomes suspect. It needs to be reviewed. If you want to be certain that your network, systems, and data are secure, call Ashton Technology Solutions at 216 397-4080.