Mediaplanet: How to Keep Your Network Safe and Protect Your Company’s Crown Jewels
September 16, 2019
For those who are unfamiliar, what are the major red flags to look out for that could indicate a phishing email?
Phishing emails are the most common way hackers can gain access to your company’s network. It’s unlikely that the Prince of Nigeria is messaging you to give you part of his fortune, or your CEO messages you out of the blue asking you to download a file. Every member of your organization must be trained on what to look out for because your people really are the weakest link.
Some quick tips are:
- Be aware of who the email is coming from — is the “reply to” email different from the sender’s email?
- Does the message seem odd or out of context?
- Is there poor grammar and punctuation?
- Are there any attachments or any links? Either way, don’t open attachments or click on any links if you’re unsure. Send it off to your IT team promptly. Always proceed with caution.
My team and I get phishing emails daily and it’s scary stuff. This is why we have certain protocols in place to mitigate the risks associated with phishing scams. We also use external email monitoring to indicate when a communication is EXTERNAL, even if it’s coming from a name you may recognize as a colleague.
At the end of the day, the onus is on the company to train its employees. We do seminars, web ex sessions, and social engineering tests across our team. We are sure to share the results so our team learns what the gaps are — and we all get better.
How can businesses ensure employees who bring their own device don’t compromise sensitive data/information by doing so?
The world is changing. Employees want to be able to use their own devices at work and companies want to ensure their employees have the necessary tools in place for them to do their job. So it’s important for organizations to have a device management policy, and a set of tools to help manage both corporate assets and employee personal assets. You have to take a data-centric view of security, not a device-centric view of security.
If an employee leaves, or if an adversary gets a hold of a device, can your IT team provision the data on the device? Businesses need to be very focused on controlling the data by answering some key questions: Who has access to what? Why do they have access to it? What can they do with it? Can we easily remove this data?
Ensuring remote access to wipe or contain a device is critical.
What are the major benefits of using privileged access management (PAM) solutions for a business?
Here’s the thing: Almost all security breaches by outside attackers (vs. insider threat) involve a form of escalating access management. Hackers get in through a back channel, find the vulnerability that allows them to escalate their privilege into your network, and then start moving their way laterally through the organization until they find something specific about you. That’s how it almost always works.
We need to prevent this chain of events from happening. A hacker might be able to “upgrade” a normal user role to a system administrator, but without a PAM capability, they will not be able to gain access to the actual data — or the “crown jewels.” Having the ability to prevent this chain of events is why a PAM solution is critical.
The future of critical security controls will all be centred around identity. Think about it, we don’t keep data in our own little network anymore. Data is everywhere and in order to protect the data, we need to be able to map out privileged access policies, and tool deployment to support. A strong Identity practice is the foundation of security control.
What digital security risks are small- and medium-sized businesses more at risk for than their larger counterparts?
First of all, cyber threats don’t discriminate based on the size of a business. However, what does differ is the organization’s ability to respond to the threat. It’s much harder for small/medium-sized businesses to prevent, detect, and respond to a cyber attack.
Just like in the physical world, the enemy will typically go after the softest target first. This is in part because small/medium-sized businesses generally don’t have the sophisticated technologies enterprise businesses have. Look at ransomware, we have seen attacks in smaller individual hospitals across the nation that have disrupted hospital operations. It all comes down to response — how is a small/medium-sized business responding to threats and, more importantly, how much are they preparing for a possible threat? Can they keep up with compliance requirements? Hire staff? Engage experts?
Smaller organizations often think they’re immune to cyber attacks because there are bigger fish to fry but they couldn’t be more wrong. Small/medium-sized businesses need to cover the basics in terms of security control, and engage a partner suited to their size and maturity to help outsource the coverage.
How can small businesses using cloud computing solutions ensure their data is secure?
One of my colleagues always says when using cloud solutions, you need to BYOC — Bring Your Own Controls. It’s important to know the cloud is just someone else’s computer and that you are still responsible for securing your own data. Full stop.
No matter the size of business — you need to make sure your security defences are in place. Moving to the cloud does not eliminate the need for good security practices.
What is the most important first step when you realize your computer has been infected with ransomware?
The most important step happens way before an infection happens. Making sure you have the necessary tools in place to get back to normal operations is the most critical action — starting with having good backups of your critical assets, and having an incident response and remediation partner on retainer.
That being said, when you realize ransomware has infected your computer, the first step should be to immediately segregate that device from the rest of the corporate network so the infection doesn’t spread. The next step is to call your incident response partner so they can jumpstart the remediation process.
The risk of a business being shut down in operations as a result of a ransomware attack is very high, especially for a small business, and especially for one that doesn’t have the necessary backups. Without a backup program in place, it could be difficult to get back to normal operations.
What are the biggest trends in digital identity right now?
PAM for sure, but there is also a move toward two really interesting concepts — no passwords and zero-trust.
No passwords is the concept of identity authentication using biometrics or multi-factor authentication.
Let’s break it down into three types of security measures:
- Something you know, like a password
- Something that you have, like a phone
- Something you are, like a fingerprint or facial recognition – most commonly referred to as your biometrics
Passwords can easily be compromised through sheer guesswork alone, but it can be much harder to steal a phone or crack through biometric security. Although there will always be a way to hack into an account, moving toward a no-password philosophy is a great starting point for securing digital identities.
We are also moving in the direction of organizations using zero-trust policies. Traditionally, organizations assumed everything “inside” the network could be trusted implicitly. So if a cyber incident occurs, organizations only consider external threats, not internal. However, with the increasing rise of malicious insider threats, organizations can’t just implicitly trust the internal assets.
By establishing zero-trust policies, organizations adopt a “never trust, always verify” nature so both external and internal threats are scrutinized. This works hand-in-hand with PAM solutions because a big part of PAM is that, for any particular data asset, only employees that require access are able to do so.
What are the major ways in which you’ve seen digital security evolve throughout your career as a businessman? In this constantly evolving digital landscape, how can businesses ensure they are keeping up-to-date with their own digital security?
We’re consistently seeing that security decisions are no longer being driven solely by the IT team. Often times, we are seeing business stakeholders, like board members and the C-Suite, driving these security decisions. They realize how cybersecurity can impact everyone in the organization, so the accountability is on everyone, not just the IT team. This is why it’s always important to review your technology stack, and see how it aligns and supports all functions of the business.
Secondly, using identity as a service has become a hot topic for enterprises. This means extending identity management outside of the office walls by enabling employees to seamlessly use one identity to gain access to everything the company does, such as a single sign on for your company CRM, HR platform, file share service, etc. This not only improves efficiency in provisioning but helps the employee by simplifying their access experience.
Are there any industry blind spots of which people should be aware?
IoT (Internet of Things) is still a big blind spot and the manufacturers are trying to catch up. We are used to thinking of IoT devices on a much smaller scale, such as home security systems, smart thermostats, or smart appliances. However, we need to think bigger.
Consider all the small machines that are connected to a network as part of a big control system — like a power grid. If a threat actor can access any part of that network, they can essentially bring the whole control system down. We’ve already seen this happen a few times in the past and I have no doubt we will continue to see cyber criminals target organizations that are a part of a nation’s critical infrastructure if these organizations don’t catch up.
Given your expertise in this space, what is the greatest piece of advice you have for a CEO looking to secure their company assets?
Focus on the data and understand it’s not an infrastructure issue but a data protection issue. CEOs and their security leaders need to align on what their companies’ crown jewels are, and then determine the best way to protect them. It’s shocking to me that many organizations still don’t know what their crown jewels are. Often there is a disconnect between the security team and the organization’s overall business function.
The most important thing a CEO can do is ask their security leader some really simple questions:
- What are the crown jewels for the company?
- How are we protecting them?
- What would the impact be to the company if they were compromised?
- What is the company’s business strategy?
The last question is the most important because, if the security leader does not know what the business strategy is, then they can’t integrate their security plan with the overall business strategy to be successful. As a security practitioner, you have an obligation to the organization to connect the dots between each critical question and make sure it always leads back to protecting the crown jewels.
Originally posted on futureofbusinessandtech.com