As 2015 wound down, one of the few givens besides the ball dropping in Times Square was the onslaught of “2016 Top Cybersecurity (fill in the blank)” lists that are still filling email inboxes. Regardless of industry or size, organizations perennially struggle with cybersecurity – often not for the lack of effort. Experience has taught us that the downfall of these organizations is frequently a lack of focus on “Security 101” items – that is, security basics.
The top three areas in which we see issues in organizations of nearly any makeup and size are:
The shiniest tools and technology – from data loss prevention software to network access control solutions, from security information and event management systems to mobile device management and enterprise mobility management solutions – rely on a strong IT security foundation. If that foundation is not strong, problems with weak passwords, poor patch management, and data access permissions that are not restricted by role are likely to lead to a breach in security.
A recent article in The Wall Street Journal, “Banks Battle Staffers’ Vulnerability to Hacks,” identifies thumb drives, mobile device security, and spear phishing as a few of the top cybersecurity issues at financial institutions. The article goes as far as to blame employees for all cybersecurity issues.
Although employee behavior can be the weakest link in the cybersecurity fence in any industry, organizations must not forget to tend to the security basics as well:
- Passwords should be eight characters or more, complex, and changed regularly. The schedule to change passwords should be based on password complexity and the risk environment of the organization.
- Tip: There are plug-ins for the Microsoft® Active Directory® interface to verify whether passwords that meet your policy are secure. A password such as “Password1” is technically a complex password, but it is not secure because it is easy to guess.
- Trick: Make and enforce the policy throughout the whole organization. For example, don’t forget about third-party facing applications, applications not integrated into Active Directory, and other systems such as firewalls, routers, and local accounts on servers.
- Patches are not very exciting but are needed to secure systems. Evaluate your organization’s patch management program to see if workstations and servers – as well as applications, network devices, and legacy systems – are being patched effectively. Determine if there are mobile devices that need patching, too. Assess the patches needed and the resources available to do it, then rework the program based on scope, resources, and controls. Lots of IT organizations struggle with patch management policies that are not written or endorsed by IT. Take control of the situation by writing and implementing a policy that will work.
- Permissions are a bigger burden than patches and generally are not controlled centrally. Permissions are applied via Active Directory for some applications, network drives, and shared folders – but what about websites? How does your organization control permissions to access Internet-based services? Does everyone in the organization, even IT, have the same permissions?
- Tip: Push as much as possible of the workload of applying permissions to each business line, and then use IT resources to review all nonbusiness-line-specific technologies.
- Trick: Implement one set of changes to a subset of employees at a time so that you can fine-tune and tweak the process instead of shutting off access to certain services for the entire organization at the same time. Anticipate the impact the permission implementation will have on your help desk.
So as 2016 unfolds, let’s not shrug our shoulders at the mundane and tedious tasks that constitute security basics; instead, take them on. Passwords, patches, and permissions may be boring as well as challenging to tackle, but doing so will improve the cybersecurity posture of your organization. And, if you are one of the lucky ones with a budget to buy one of those shiny, new tools in 2016, attending to security basics will make its implementation that much easier.