Welcome to Rothstein Publishing!
Don’t WannaCry? Cyber Security Starts With Sound Information Security Policies

We all know we need to update our software, backup our critical data, install and maintain antimalware software and firewalls, manage robust contingency and recovery plans, not open funky emails, audit everything, blah blah blah. So what’s wrong with us? Why don’t we all do these things consistently?

I’d like to think that everything we have been lectured, reminded, scolded, chastised, and even ridiculed about in the way of protecting our digital assets is doable and reasonable, but face it – sometimes it’s not. Costs, number of hours in the day, distractions, urgent priorities, sleep, other crises, get in the way. Or, to put it simply, we get lazy or “have better things to do.”

Then, wham – your drive crashes, WannaCry makes you cry, your computer zigs when it’s supposed to zag, humans be humans, whatever. Suddenly all that stuff hurtles to the top of the list, and you’re scrod (that’s the past pluperfect tense, BTW).

Just so you know, it’s Business Continuity Awareness Week – timing is impeccable! If you haven’t already been bombarded with stuff to add to your to-do list this week thanks to ransomware, check out Preparing for the threat of digital disruption. Symantec is an excellent resource. While WannaCry may turn out to be another Y2K downer, ya never know…

We’re pretty good at protecting Rothstein Associates’ digital assets – we back up data on multiple schedules with multiple tools in multiple, secure locations; our hardware, software, firewalls and antimalware are robust and up to date; we’re not perfect, but we are more careful than most.

So, if I can offer one piece of cybersecurity advice, it’s quite simple – start somewhere. Pick your weakest link, toughen it, and move on. For our team, it’s been explicit information security policies. Essentially, we’ve been doing most of the right things, but hadn’t formalized them. And, as Rothstein Publishing’s team has grown, our assumptions about cybersecurity and resilience have… not always been born out in fact.

We’ve been looking at our policies, procedures and practices, and finding disconnects, and we’re cleaning them up. I have to say, though, it’s a whole lot easier to work from a firm foundation based on policies rather than reactively plugging holes.

So – yes, this part is a subtle sales pitch – we’ve been using a tool we’ve known for two decades, Information Security Policies Made Easy.  Here’s the blurb:

Information Security Policies Made Easy is the “gold standard” information security policy template library, with over 1500 pre-written information security policies covering over 200 security topics. Based on the 25 year consulting experience of Charles Cresson Wood, CISSP, CISA, it is the most widely used policy library in the world, with over 10,000 customers in 60 countries. Take the work out of creating, writing, and implementing security policies.

You can buy it here.

–   Philip Jan Rothstein, FBCI