Building a healthy immune system involves a lot of factors. Sleep, healthy food, good hygiene, and even some exposure to bugs (especially when you are a kid).
Building a cyber risk immune system is a lot like that as well. There are preventive measures like cyber tools, staff training, and everyday approaches that are the cyber equivalent of washing your hands. And, of course, there are ways to test the cyber immune system to see how well it stands up to attacks.
But, like building a healthy immune system, you can’t focus on one component alone. Here are the building blocks of a healthy cyber risk immune system.
Start with Cyber Standards
NIST is the gold standard. We typically apply this framework for (our) customers,” explains Greg Manson, Tego’s Vice President of Security, Audit, and Compliance. “But there are others to look at like the ISO 27,001, 27,002, and the SOC (System and Organization Controls) standards.” But these standards and frameworks aren’t a one-time check the box and forget about it. It’s critical to test against the standards.
Incorporate a Physical Security Review
In a world where many people work remotely, we sometimes forget that many organizations are still wired into the physical world. Schools, doctors’ offices, retailers, factories, hospitals, and building sites must be physically secured against cyber criminals.
While door locks and cameras would seem more important to keeping physical items from disappearing, they are also critical to maintaining cybercriminals from accessing laptops, servers, IT offices, and even written information (such as from doctor’s offices), which leads to identity theft.
Focus on Application Security
Firewalls, endpoints, and other types of internal computer-based security are common. The applications, though, aren’t always thoroughly reviewed for weak points. “That problem is almost universal,” Manson says.
- Are log-ins unique and never shared?
- Are domain administrator accounts segregated from daily activities?
- Do you know who can access what type of data, and are those privileges audited frequently?
- Is there a careful and thorough review of access that must be shut off when someone offboards?
Protect Against the Accidental or Intentional, Inside Job
Manson says companies often rely too much on the security stack that sits on top of the data. The thought is that a robust security stack will repel all intrusions. But social engineering and multi-factor authentication fatigue attacks are real. Cybercriminals can trick your employees into giving away passwords and access information. And contractors, and vendors, who rarely get the same training as employees, are a weak link. See the Uber hack. Training and awareness for anyone accessing your internal systems is critical.
Run Data Risk Assessments
Think about what data is most important to keep safe. Personal information tops the list, as does financial information. Tools with pre-built risk assessments can help you automatically classify data in a logical manner that helps protect it. This technology will help security auditors find problem areas – like M365 links that were accidentally set to public, along with stale data that should be purged. It also helps you find internal global settings that expose data to many more people than need to see or use it.
Real-World Tests are Critical
While alignment with frameworks and tools reduce the risk of an adverse event, you have to be prepared for an unfortunate event. This is where testing comes in, not only of system robustness but of the organization’s response. Tego organizes tests that find flaws, from misconfigured software to notification gaps.
“The real magic piece is testing,” Manson says. “It’s actually sitting in a safe situation to test how you will respond. You don’t have to just test for a broad ransomware event. It could be an incident causing your ticketing system to fail.”
Testing helps you understand what people, processes, and technology you need to improve to avoid a costly and image-harming event.