By Don Gardner
When Michelle Matte was a child, she said her grandma kept a Lousville Slugger baseball bat by the side of her bed.
She could never understand it, because, while her grandpa loved baseball, her grandma hated it.
One day, she summoned up the courage to ask her grandma why she kept the baseball bat at her bedside, even though she hated the game.
“Security,” grandma said.
Confused, young Michelle told her grandma that she’d never seen her use the bat.
Grandma stopped what she was doing, turned to Michelle and said, “I’d rather have security and not need it rather than desperately need it and not have it.”
Hopefully, Grandma never had to swing that baseball bat in the name of security. But the message she shared with Matte has stuck with her to this day and seemingly pointed her to a future career path. Matte is now an information systems security engineer with the U.S. Army CCDC Ground Vehicle Systems Center. She is a cybersecurity expert, dealing with compliance and governance. She’s swinging away at bad guys, not with a piece of maple but with powerful technology and a desire to stay ahead of the game.
Matte was the keynote speaker Oct. 19 for the Macomb Next Industry 4.0 cybersecurity workshop,
presented by the Macomb County Department of Planning and Economic Development and the Velocity Center in Sterling Heights.
“That message from my grandma stayed with me to this day,” Matte said. “I’ve applied it to my career, and I’ve applied it to my life.”
Matte’s message to a packed crowd of businesspeople, cybersecurity students and other stakeholders was that cybersecurity is essential in today’s world, and there is no excuse to not have it.
And she’s heard all of the excuses – it’s too expensive, my company is too small to be attacked, and it’s all too confusing and difficult to implement.
But Matte said no excuse is good enough, because the threat of cyberattack is everywhere, from external forces and internal ones.
“Hollywood has done a great job of portraying hackers as shadowy figures in a dark room with a hoodie over their head. But they don’t always look like that,” Matte said.
Hackers can be external but also internal, Matte added. Some are wearing black hats – malicious people trying to steal information or money for their own personal gain. But others are wearing white hats – they have good intentions, trying to make sure no one gets into their organization’s network.
The most obvious threats are those working from the outside trying to hack in. They are using social engineering and trying to poke holes in an organization’s defenses. But Matte said those most often ignored are the threats that come from the inside – a bad actor repeatedly engaging in bad behavior; a disgruntled employee trying to hurt the organization, or an oblivious employee, whose actions unknowingly hurt the company.
“Those are the ones that I have nightmares about,” Matte said. “They are already with your company. These are the people that you drink coffee with. These are people who know your family, and they have a username and password to your organization. They have a badge to your building. They have a company-issued tablet or PC. Does that scare you? It scares me.”
And add threats from Mother Nature such as floods, tornadoes, ice storms or extreme temperatures, and one comes to the realization that there is a recipe for constant, 24-hour cybersecurity threats.
“How many of us have held the door open for individuals coming into our place of work or school,” Matte said. “How many of you have opened up emails that looked legit? I sure have. Stop being nice. Stop holding the doors open. I know it goes against our nature. But at some point we have to make sure that we don’t let the bad guys in.”
So how are these threats combatted? Matte recommends a strategy called “Defense In-Depth,” including using multiple layers of security for holistic protection, including:
- DNS Security
- Intrusion detection and protection
- Patch management
- Password policy
- Antivirus/anti-malware protection
- Backup and recovery
- Annual security awareness training
Following cybersecurity protocols protects financial assets, an organization’s reputation and company personal data. And some, but not all, industries have federal laws requiring cybersecurity compliance.
Cybersecurity is not a one size fits all protection plan. Matte recommended looking into several security framework organizations, including the National Institute of Stands and Technology (NIST); Control Objects for Information and Related Technologies (COBIT); and the Information Technology Infrastructure Library (ITIL).
And she suggested looking into PCI-DSS, HIPAA HITRUST, GLBA AND FedRAMP as compliance frameworks.
The quickest way to ramp up cybersecurity protection in a workplace environment is to implement password policies.
“Change your passwords often. And if you’re worried that your user base is not going to remember their new password or complain about it, look into investing into a password vault solution,” Matte said. “That way, you don’t have to worry about it. And they’re not going to be giving their passwords to their neighbors.”
Password vaults keep passwords and digital records safe in a centralized vault. A multifactor solution is another option, Matte said, which requires the user to enter more information than just the password.
Other suggestions Matte offered include a mobile device management solution – a policy to manage cell phone, laptop and tablet devices; antivirus/malware applications; and hiring a security professional.
“These are so minor, but they are going to have a huge impact,” Matte said. “There is no way we’re going to get rid of all of the threats. So we have to put forth a good defense at least. Put up a struggle, put up a fight to reduce the amount of threats out there. Honestly, if you’re doing something, you’re doing more than most.”
Don Gardner is a communications specialist for the Macomb County Department of Planning and Economic Development.