Minimalism in cibersecurity Cybersecurity

Three minimalist keys to improve security in the company

15/07/20 6 min. read

Minimalism is a trend that has been gaining great importance in recent years. Starting with its definition, the term minimalism, in its most general scope, is the tendency to reduce to the essential, to strip away excess elements.

Despite Marie Kondo’s success on Netflix, a minimalist life does not consist of filling garbage bags with unused clothes, unread books, key chains and gifts of the most varied kind, or sitting on the floor in the middle of an open room with Japanese decoration. The real essence is to focus on what is important, on what brings value to each of us and that many times we are not able to discover due to the “noise” around us.

All that “noise” has been transferred to the digital world in the form of constant notifications of Whatsapp groups, excess videoconferencing, unread documents and having 60 applications installed that we no longer know what they are for. This has a direct correspondence in the increase of distractions and decrease of performance. In addition – and now we are entering the field of computer security – it causes another collateral damage that is little talked about, and that is the exponential increase in cyberthreats and therefore the possibility of suffering a cybercrime.

There are three aspects that show how a minimalist approach can lead to a more resilient company prepared for the new security challenges of this digital age.

1. Attack surface 🥊

The attack surface is the totality of elements likely to have vulnerabilities that can be exploited by a natural incident or by a deliberate attack.

The increase in digitalization has led to an exponential increase in the surface area exposed to the Internet. Both at a business level with corporate websites, marketing campaign websites exposed to the Internet, multi-channel, the universe of APIs, and the increase of endpoints in companies, and at a personal level with multiple devices connected to the Internet.

We have to live with this new reality being aware that while creating new solutions, we must necessarily discard previous solutions. The thinning of the digital structure is the great forgotten of the digital transformation, it is that fat that makes it difficult to feel light and advance properly. It is the anti-agile. The important thing here is to apply the same recipes that minimalism offers us for our domestic life:

  • Make a complete inventory of digital assets, segmenting by categories avoiding dispersion.
  • Evaluate each application and functionality one by one, “touch” it and feel which one makes us “happy” and brings value within the company.
  • Include the applications that do not generate value in the general plan of seizure and elimination of assets. Not only the obsolete assets generate an increase in risk, but also the set of applications with less use, more minority and therefore to some extent abandoned to the security processes of the company.

The goal is to close all the side doors that cybercriminals seek to compromise corporate networks.

2. Access control and privileged accounts 📱

With the implementation of new collaborative models, in addition to traditional access to business applications, application and system accounts, we find that each of us manages an unlimited number of shared resources, sharepoints, channels and individual access to files with personal and/or confidential data. All this demands that access control and identity management teams find new alternatives to simplify the revocation of accounts and shared resources.

The key here is not to tidy up and clean up the house while the junk comes back to collect dust every day. The key is to continually remove all resources that no longer provide value. Here too, users must be the first line of defense, deleting unnecessary shared resources. To do this they must be given the awareness and tools to manage this complexity, making the seemingly complex simple.

It is clear that nobody likes to be “complicit” in a security incident, but most of the time attackers take advantage of abandoned files with sensitive information or valid access credentials to achieve their objectives.

3. Unused applications and programs ⚙️

Almost all employees in a company have one or more mobile devices at their disposal. All these devices need to be patched at several levels: Android/iOS version, each and every installed app, digital certificates, VPN channels and authentication mechanisms, and even at the hardware level where emerging threats have been located.

Again, a coordinated exercise between IT, Cybersecurity and the end user is necessary in order to identify applications, programs, extensions that are not used but significantly increase the maintenance burden that can end up resulting in an open vulnerability that can be exploited by the attacker to compromise a user device.

It is increasingly common for companies to launch phishing awareness campaigns for their customers and employees. This being a vital aspect, it is not less important that after an initial possible infection by Malware in a user’s device, a possible attacker can escalate privileges or make lateral movements taking advantage of a vulnerability in another user’s device or server. The fewer applications, programs and unusable resources available to the potential attacker at that time, the greater the chances of limiting the impact of a potential intrusion.

By taking advantage of the concepts of existential minimalism, we will be able to make our organization a safer, more results-oriented environment, and people will feel a reduction in the anxiety caused by complexity and uncontrolled multitasking:

  1. Focus on the essentials
  2. Less is more
  3. Quality versus quantity
  4. Organization without time consumption.
  5. Enjoy the silence

In short, an organization where cyber security is not intrusive, applications are made invisible, processes are simplified and technology is at the service of people.

Ismael Alonso

Santander Global Tech

Computer engineer, working in cybersecurity within the global incidents respond area. I love to be involved developing new disruptive projects and giving ideas that come true. I also love sports and music. Nowadays I keep playing within a small music group from my born-town and never lose any of my neighborhood football matches.

 

Other posts