We’ve recently learned of some very bad microcomputer vulnerabilities that even Google is calling the worst in a decade: Spectre, Meltdown, and - in the last 24-hours - a new BIOS-level attack against a machine has been announced.
Still, if we’re to borrow some excellent advice from Douglas Adams, Don’t Panic. Stay froody, grab your towel, and order a Pan-Galactic Gargle Blaster. It’s going to be what it’s going to be.
You have to get kind of Zen over computer vulnerabilities and here’s the reason why.
There is no spoon.
Well, actually, that’s from The Matrix but it’s the first thing that comes to mind.
There is no such thing as absolute security.
This is a true axiom in many things. We’re at risk the moment we sit behind the wheel of a vehicle; when we walk down the street in a public square; when we decide to start a business. There are always risks. And there’s a lot of rapidly-evolving risks with microcomputers. That’s the way it’s always been, and that’s the way it’ll always be.
If you accept that distributed computing is always going to be risky and that security isn’t absolute, you’ll be in a better position to manage the recent news. It isn’t scary. It just is.
The fact is that the safeguards that we implement today are the same safeguards we implemented yesterday, and that we’d continue to implement tomorrow. If you’re a small business, the strategy for safeguarding your IT assets is a constant.
Strong Administrative Controls - Vigilance. Management directives in the form of policies and procedures govern a company’s reaction to these kinds of problems. Your business should have a documented approach to managing IT assets that help weather risk. Follow your directives. Manage user expectations. Manage your assets. Pay attention to risk and slightly alter your course where it’s necessary.
Solid Technical Controls. You’ve got strong passwords, 2FA, intrusion detection and prevention, good firewall rules, a standardized process for managing user access, a view of the assets under your control. All of these are technical factors that help secure your computers and networking equipment. Although we’d be fools to assume we’ve enough safeguards to counter all risk, we’re still conscious of our controls and put faith in their ability to protect our systems.
Updates and Patches. Security in the microcomputer arena is an ever-moving target. It’s best practice to constantly apply new updates and patches from software providers and hardware OEM’s. It’s just the right thing to do. If we keep managing those updates, we’re going to receive the necessary software to improve our security posture.
Planned Retirement and Acquisition. All computers die. All networking equipment eventually ages. There should be a plan to retire assets according to a managed schedule. Some assets may be older and - indeed - more vulnerable, but we should already have a process in-place to both plan for the acquisition of new equipment and the disposition of old machines, so that our company is less-vulnerable over time.
Audit and Corrective Action. Finally, we can’t rely entirely on assumption. We can’t assume that everything we do (from crafting good policies, to implementing strong technical controls, to updating our systems regularly, and from retiring older assets) is perfect. Remember: there is no spoon. We need to check on it. We need to validate that what we’re doing is working. The only way to do that is to investigate the results of our strategy, report on our mistakes or misfortunes, and implement stronger controls to prevent the bad stuff from happening again.
Nothing of what I’m saying here is new. If it is, then you’re likely more at risk anyway because you’ve made some assumptions about your security posture and you’re not verifying those assumptions. You’re hoping that everything will be okay. That’s not management. Managing implies control, oversight, the awareness of risk, organizational learning.
So don’t sweat the bad news. Don’t Panic. There’ll always be more bad news.
The good news is - if you’re following these five guidelines - you’re as prepared for it tomorrow as you were yesterday. Everything is going to … be.