Security Think Tank: Don’t trust the weakest link? Don’t trust any link

“Secure as the weakest link.” I hear that a lot, but your security model should not fall apart just because a part of your business, or a business partner, has weak security.

Your security model should be able to cope with vulnerable parts of the organisation, and not throw a wobbly as soon as a part of it falters.

The term “secure as the weakest link” implies that all parts of the business and everything that links each part together is of an equal footing and trust level to everything else.

In the industry, we call this a flat, unsegmented network, as was common when someone decided it was a good idea to pull all the walls down so that businesses go faster.

This is why information-centric security models are a must for your business.

You should be able to connect your business with entities operating in the most hostile areas of the world, in full knowledge there are state-sponsored eyes looking at you. And in full knowledge that some of your staff are probably on the books of criminal organisations and are paid to exfiltrate data.

So, I’m going to take the term “secure as the weakest link” and say instead “don’t trust the weakest link”.

In fact, don’t trust any link.

“Once your information or critical assets have been compromised, you will never get them back”

Operate under the assumption you’re already compromised, as a lot of business probably are, and do your upmost to protect what is critical to your business, at source.

Lock up your crown jewels, monitor who is going in and out, don’t give the whole world access, trust no one, implement zero-trust properly, and prepare for heavy repercussions if you’ve just gone and trusted one of your “weakest links”.

Because once your information or critical assets have been compromised, you will never get them back.