The New Year is almost here and you know what that means – a brand new set of cyber-related security challenges. Thankfully, there are ways to navigate the ominous waters of a dynamic threat environment so that you and your company can hold on to as much as possible of that most precious of data sets: Trade Secrets, Intellectual Property, and Customer Privacy Information.
We asked some Secure Halo experts for the New Year’s resolutions they recommend to help companies develop a mature security enterprise and face down the risks of 2016.
Armond Caglar, Senior Threat Specialist
Address Third Party Threats: You already heard about Target and countless other examples of companies that have suffered extraordinary loss as a result of cyber exposure originating from their vendor, suppliers, and other business dependencies. These kinds of third-party threats, steadily on the rise within the last couple of years, will continue to be overlooked in 2016. This is due to continued lack of awareness and vigilance about the security practices of third-party partners.
In 2016, if you find yourself in the market for a cloud service provider (CSP), and before signing any Service Level Agreement, remember to ask these vendors (and others) important questions about their security practices and what they will be doing in order to keep your precious data secure.
Specifically, you should inquire about their technical controls on three levels:
- Application layer controls, which address whether apps are well written;
- Data layer controls, where the last line of defense is often encryption;
- Access controls and the client user-base, which addresses concerns regarding privileged use and access control strength/consistency.
Remember, when it involves your company’s precious data, don’t take anything for granted and if you are not comfortable with a vendor’s cyber security culture or their implementation of industry best practices, exercise the power of the purse and find a mature vendor that takes this seriously.
Brendan Fitzpatrick, Enterprise Security Assessment Team Lead and Threat Analyst
Implement Effective Cyber Security Training: Increasing the effectiveness of your cyber security training is one of the biggest bangs for the security buck. What does effective cyber security training look like? In our capacity as enterprise security assessors, we have seen a number of training programs with vastly different capabilities. Within those organizations that demonstrate strong cyber security resilience, we have noted a few key factors that contribute to effective training programs:
- Whether it is an interactive computer-based delivery or a classroom setting, training that engages a student increases the comprehension and retention of the material versus passive, slide-based presentations.
- Organizations that deliver cyber security training throughout the year, instead of in one large training session, create training that is easier to digest, is responsive to the changing threat landscape, and that constantly reinforces the organization’s cyber security culture.
- Effective organizations establish key training metrics to identify gaps and improve the quality of their training materials.
- Mature cyber security training is specific to the organization and to the individual business or functional units, addressing the unique and specific threats that these each of these units face.
An effective training program demonstrates to each employee the organization’s commitment to cyber security and enlists their help as a key component of that security. While not as easy as “fire and forget” slide show training, mature organizations find the extra effort pays large dividends.
Gabriel Whalen, TSC Insider Threat Senior Official, Behavioral Analyst
Recognize Insider Threat Vectors Are Not “Cyber”: While cybersecurity solutions tend to focus on computing – it’s a problem for the computer guys – Insider Threat is a human vector. Information technology certainly has a part to play, but is not the sole or star player. Some points to consider for your Insider Threat program:
- Non-spectacular. Humans tend to over-emphasize and prepare for the spectacular attack, but the non-spectacular is far more likely. In other words, it’s more likely someone will leak details of a planned merger than carry out a “sophisticated cyber attack.”
- Human Resources. They are your first responder and detector. Enable and empower your HR department to not only detect, but also mitigate employee issues, which lowers the risk of inadvertent and malicious insider threat.
- Training: Humans are horrible at “if-then” tests, especially when it doesn’t affect them directly (e.g. protecting company intellectual property to keep America “safe”). Training does need to alert the employee to trigger behaviors or situations, but it must address immediate employee needs to be effective (e.g. if the company loses this contract, you won’t get a paycheck).
- Public Relations: I predict that in 2016, industry will see a greater number of ideology-driven attacks from “cyber vigilantes.” Perhaps more now than at any time in history, company actions and relationships are open to public discovery. We are entering a new age of checks and balances. Companies that are insensitive to the public whim may expose themselves to more hacks and more inspired insider events.
Remember, humans precipitate Insider Threat events, not machines. Likewise, human behavior needs to be the focus of screening, training, and prevention.
Craig Guiliano, Director, Threat Analytics
Don’t overlook the obvious: Surprisingly enough, too many enterprises fail to implement even the most basic security protocols. As we welcome 2016, consider finally enforcing these simple, but often overlooked, best practices:
- Password Length and Complexity – Passwords should be at least eight characters and contain upper and lowercase with at least one number and one special character. Please do not write it down. Consider that a very strong password should be at least 128 bits.
- Multi-Factor Authentication – This simply adds another (or multiple) layer of authentication, in addition to your password. Think of it this way: what we know, what we have, and what we are, thus multiple ways to determine we are who we say we are when using our protected sites.
- Use of a virtual private network (VPN) – Companies should require their employees to connect securely via VPNs to access files, applications, printers, and other resources on the office network without compromising security.
The year ahead will undoubtedly bring a continued barrage of cybersecurity challenges, but organizations that stick to their cyber resolutions will be stronger and more resilient in 2016.
