Latest News

Rob Chapman, Director of Security Architecture, Cybera on Cybersecurity and “Limiting Blast Radius”

October is National Cybersecurity Awareness Month (NCSAM), as designated by the U.S. Department of Homeland Security. This year, as the U.S. Department of Homeland Security website has advised that the focus is on “Do Your Part. #BeCyberSmart.”

Rob Chapman, Director of Security Architecture, Cybera has offered the following thoughts on cybersecurity:

“I asked a colleague once if he would be willing to speak to our IT department at a lunch and learn event. He was a security professional that was hired to hack companies. He readily agreed and promptly showed up with one of the most memorable presentations I’ve seen. The presentation was simply titled, ‘How I Will Phish You.’ It wasn’t a question of if he would be successful. It was simply understood he would be. He wouldn’t get everyone, but he would get someone — and that was all that mattered.

What was remarkable about his presentation was that it wasn’t a story of how he used super-computer hacking skills to tackle exotic computer programming issues. Rather it was a story of how people over the last 15 years have been so desensitized to putting personal information online for free that it was simply the easiest way to attack companies. His job gets easier each and every year simply because the hardest part of securing our personal and work lives depends on the weakest security facet we face: people. We’ve been playing to lose.

Since the mainstreaming of computers in the workplace I can’t think of a single time when someone’s online behavior impacted a company’s security posture as much as it does today. It’s a tough landscape to navigate. You can warn your colleagues but at the end of the day there’s only so much reasonable reach you can have with company policy.

It’s easy to think this is just a matter of personal responsibility, but I think people give themselves too much credit for independent thinking and action in the face of a marketing efforts to solicit that information from them. There’s no barometer for what to share. No intuition. Billions are spent each year building algorithms designed to attract this exact kind of oversharing. Each social media platform for work and life wants to know where I am, where I’ve been, my relationship status, my work status, where I’ve eaten, what I like, who I vote for, and on and on. We’re rewarded with faster connections online and platforms that cater ever more carefully to what we want. The most insidious part is that it’s become so automatic that we don’t even stop to ask, ‘Is this a good idea?’

The best advice I can offer is this. Limit your organization’s blast radius. Limiting blast radius is something we don’t talk as much about, but it’s probably one of the most important architectural efforts you can make. It simply starts with the question, ‘If the worst happens how small can I make the impact?’

Here are a few things that can be done to limit the blast radius of the potential damage your employees can do whether it’s phishing, ransomware, or simple carelessness.

1. Enable multi-factor authentication on everything.
2. Remove unnecessary admin rights.
3. Design your networks to limit access to only what’s needed.
4. Plan for the worst and practice your plan. Tabletop exercises can reveal gaps that are easy to fix before the real thing gets you.”

Learn more: