Here at Networks Unlimited Africa, we are applying the ‘broken window’ principle when looking at our internal cybersecurity posture and how it affects business processes.
The term ‘Broken window’ comes from George Kelling, a criminologist, who wrote in 1982 that, “social psychologists and police officers tend to agree that if a window in a building is broken and is left unrepaired, all the rest of the windows will soon be broken… vandalism can occur anywhere once communal barriers…are lowered by actions that seem to signal that ‘no one cares’.” This theory had also been the subject of experiments previously (1969) by a professor at Stanford University, Philip Zimbardo.
Zimbardo arranged to have a car without licence plates parked with its hood up on a street in the Bronx, New York City, and a similar vehicle parked on a wealthier street in an area in California. The poorest neighbourhoods in the Bronx, in terms of approximate average income, are also the poorest areas of New York City overall.
The car in the Bronx was attacked by vandals within 10 minutes of its abandonment and within 24 hours, virtually everything of value had been removed, after which further random destruction began. In contrast, the car in California sat untouched for more than a week – until Zimbardo smashed part of it with a sledgehammer. Within a few hours, this car had also been turned upside down and destroyed.
The moral of the story appears to be that, whether your property is in a ‘good’ or ‘bad’ neighbourhood, once a window is broken, people then feel that they are able to damage and steal with impunity, and without any major fear of reprisals. Kelling says that: “…vandalism can occur anywhere once communal barriers – the sense of mutual regard and the obligations of civility – are lowered by actions that seem to signal that ‘no one cares’.”
So how does this theory fit into the area of IT and its role in business?
There is not normally a way for an external party to see that there are any ‘broken windows’ in a company’s cybersecurity. We are therefore applying a ‘Broken window, broken business’ principle when looking at our internal cybersecurity posture.
This means, in essence, making sure that you have no ‘broken windows’ or gaps in your security through which uninvited elements could enter. In order to do this, you first need to create a firm baseline to develop your posture.
Your foundations are basic networks and segmentation, which can be achieved either in-house or outsourced to a third-party expert for a small fee. We see a lot of companies overlooking the basics and then, at a later stage, getting caught in the trap of needing to acquire solutions to plug security gaps. This could become very expensive.
We advise that, when looking to build any network and adding security on top of this, it is important to ensure that you are using human resources who are certified within their respective fields. Smaller organisations often make the mistake of using a ‘just enough’ mentality to get the network operating.
As a first step to ensure you cover all bases, ascertain whether there are any cracks in your posture – in essence, a ‘broken window’. A lack of proper network segmentation, as well as inadequate password management and a vulnerable email security, are all factors that can act as broken policies.
Additionally, the endpoint is one of the most crucial vectors for attack, especially considering the current, significantly increased number of employees working from home. This is a true ‘broken window’ potential.
Organisations must ensure that endpoints are protected by a next-generation anti-virus and thereby closely monitored for any malicious activity. Traditional anti-virus has become irrelevant due to the evolution of attacks such a file-less attacks. Additionally, the endpoint needs to be able to create a secure connection to the private network at head office.
In conclusion, companies need to adopt a ‘broken window’ attitude when reviewing their cybersecurity posture. Establishing and maintaining the fundamentals is crucial in ensuring your environment does not fall into disrepair, and make it an appealing target to cybercriminals. If a strong foundational plan addressing the points we have discussed is maintained, your posture will remain strong, ensuring your organisation is as well protected as it can be.
By Stefan van de Giessen: General Manager of Cybersecurity at Networks Unlimited Africa
