24

Jun 2020

Adversary mindset development for small business

bdungey blog 0 Comments
adversary mindset

Yes, it’s sort of cliche to start off an article about cybersecurity with a quote from The Art of War, but I think it’s ultimately worth reviewing. When you’re considering exploring an adversary mindset, you’re really practicing the old-time lessons of military leadership. Especially in the small business space, where cybersecurity is mostly offloaded to similarly small IT providers or ignored altogether, thought exercises are free and helpful.

If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.

Sun Tzu, The Art of War

I started with a few articles on well-known sources to parse the content for ideas that most writers on the subject seem to agree on. When applied to the small business landscape, it’s the same idea. Only, in the SMB space, there’s less money to throw at the problem of cyber threats. Especially in organizations where funds are sparse, leadership will often have to take a ‘best option’ where technical advice will almost always push for the ‘cover all your bases’ approach. In those instances, exploring the adversary mindset is cheap, available and easy to execute.

When I’m speaking at cybersecurity workshops or conferences, the way I bridge into this discussion is a quick look at our tendency, generally speaking, to be nice people. Too often, it’s difficult for good people to recognize they are being actively targeted. I like to tell the audience in these presentations that people make decisions to hurt other people, property and ideas all the time. For that reason, the very first step in looking at the adversary mindset is adapting your course of reasoning to accept the idea that people are targeting you. Actively or passively, you have sensitive, valuable information – that makes you a target.

Never had to think about that before and maybe feeling a little uncomfortable about it?

Good.

Set a day to actively analyze your business from the perspective of an adversary. Begin by making a note to pause before you set about the ordinary tasks of your day.

For example, when you pull up to your parking spot, what do you see?

How many entrances to your organization are open to the public but have no / low security measures in place to record or restrict access to the building?

From the very start of your day, navigate the regular tasks of your job with an eye for observing the holes a bad actor could use to do damage to your organization. Those are the very risks your organization is exposed to that can be patched with controls. Some of those controls (Managed Anti-Virus, Backups, Staff awareness training) can be mitigated with minimal overall cost. Others – if you had to install a security camera system, could be more expensive. Simply identifying those risks with an easy observation exercise can likely be absolutely free for small business owners. With a little investment of time and energy, an adversary mindset can expose the holes in your wall and allow you to better focus on the biggest problems first.

Adversary mindset training is a key feature of red teams in the realm of cybersecurity. It’s got different gradations of depth – and that’s a key point for small business owners. With a sharp focus on surface-level thinking, I believe small business owners would do well to throw this against their understanding of the infrastructure responsible for bringing in the bucks. After all, the data that makes up your customer records, patient files and intellectual property on those digital databases are predicated on the skills of your team – but it’s still digital data.

So, host a hackathon. At your next staff meeting, ask for open ideas about how a bad guy might affect your business.

Or, take a half day to slowly walk through your organization and view your assets through the lens of a bad actor.

Hit the easy stuff first:

  • Are there any sticky notes with user names and passwords pasted to the bottom of monitors?
  • Is your server kept behind a locked door?
  • Has your CCTV system been tested to recall recorded footage?
  • Can your customer-facing WiFi touch the rest of your network?
  • If you label a spare USB key with “employee bonuses” and leave it near a high-traffic area, is it picked up?
  • If you sent an email to one of your staff members that was widely outside the spectrum of communication that you normally send, do they report it?

Of course, the process of red teaming your business should be left to qualified professionals. There is no substitute for field-tested, educated security professionals – but that’s the point. In the small business sphere, there’s a lot of ‘make-do’ effort applied to common business problems. Cybersecurity has a little wiggle room – it’s not nearly well enough to replace genuine security controls, but a heads-up approach to buying into the adversary mindset will keep you sharp, and that’s all any cybersecurity professional really wants from their client.

If you want more information on keeping current with cybersecurity with specific, actionable advice for small business – contact us!