October 2020
4 Min Read
Cybersecurity 101: Protect & Detect – Part Three
Now it is time to begin the search for security solutions that fit into the business. The goal here is to understand categorically the controls that exist to provide insight as to the proper fit. While many terms that get floated, there are three verticals to start. These are strategically designed to work from top to bottom which is the simplest to the most complex.
Administrative Controls – these are often non-technical and can usually be the first line of defense and provide the greatest returns. Mitigating risk can be as simple as writing a policy that is approved by management and enforced by compliance or HR.
Examples: Approvals, Checklists, Manuals, Policies, Procedures, Testing, Workflows
Physical Controls – these are as the name implies, providing real-world measures to the environment in which the business operates. It is important to be mindful of not only the perimeter but also the people who access the space. Typical office locations might be simple, but unique environments can present challenges.
Examples: Biometrics, Cameras, Fire Suppression, Keycards, Locked Access, Staffed Security
Technical Controls – these are usually the first thought when it comes to cybersecurity and can be the most complex. This one requires further breakdown and some examples which may help with context. The idea is to understand each one presents an independent entryway.
| Entry Point | Description | Examples of Tools |
| Application & Data | Application or website made by the business for public consumption
Files used by staff |
Encryption/Keys |
| Endpoint & Mobile | Computers used by staff
Mobile phones/tablets |
Antivirus/VPN |
| Identity & Access | Verifying the individual/staff member
Only information one needs to know |
2 Factor Authentication |
| Messaging | Communication mediums | E-mail/Office 365/Slack |
| Network | Office computer architecture | Firewalls/Switches |
The last thing worth pointing out is that in small businesses, there may not be the staff or resources available to perform this level of implementation. There may be a managed service provider in place who oversees all the technology. That does not prevent management from driving these conversations and understanding conceptually what is being done.
While this step might be the most technologically complicated and have the most moving parts, the primary focus is to create an understanding of the solutions for either reducing or eliminating the risks presented. It is also worth looking at two or three comparable solutions, just like getting a quote for home renovations. Everyone has a different angle in security which might change the original perspective or offer up new ideas. Next, we will look at how to finalize decisions that might require budget approvals or significant changes to the existing business cadence.