The Set & Forget Myth: Why Your Security Posture Can’t Be Forgotten About
Joshua Skeens, CTO, October 30, 2019
Cybersecurity isn’t something that can be approached with a “set it and forget it” attitude. Unfortunately, too many companies get bogged down with their daily operations and lose sight of their overall security posture, leaving themselves vulnerable.
Cybersecurity needs to be approached proactively, not reactively. A reactive approach means that problems are only addressed, and audits are only completed after an incident has occurred, while a proactive approach means that issues are flagged and vulnerabilities are patched before potential problems arise.
In this article, we will discuss some things your organization should be doing to avoid the “set it and forget it” trap, and approach cybersecurity with a proactive attitude.
Why Do Cybersecurity Systems Need Monitoring?
It isn’t enough to simply buy and install the latest and greatest cybersecurity hardware or software. When it comes to cybersecurity, there is no silver bullet. Once you have your hardware and software installed, you need to be monitoring your internal networks and cybersecurity systems and promptly address any potential issues that they flag.
Hardware and software are just tools, and those tools are only effective when used correctly, kept up to date, and monitored regularly.
What Can I Do to Improve My Organization’s Cybersecurity Posture?
Make Cybersecurity a Top Down Initiative
It’s one thing to tell your employees that following good cybersecurity practices is important; it’s another thing to teach your employees why these practices are in place, what they do, and why the company’s security depends on having employees follow these best practices and identify and report suspicious activities.
It’s vital that all employees, from the interns to the CEO, understand why cybersecurity practices are in place, what role they play in safeguarding your organization’s digital assets, how to recognize suspicious behavior, and who to report suspicious activities to.
Not all organizations are large enough to support an in-house cybersecurity team. That’s where Managed Security Service Providers (MSSPs) come in. A good MSSP can provide your organization with 24/7 monitoring, up to date information on potential threats, and access to trained cybersecurity experts, all for a fraction of the cost of employing an in-house team. However, even if you choose to outsource your cybersecurity to an MSSP, all employees still need to understand why cybersecurity is critical and how their actions can either contribute to or detract from, safeguarding the company’s digital assets.
Provide Regular Cybersecurity Training
All employees should go through security awareness training, and not just when they start with the company. Bi-annual training days ensure that employees thoroughly understand any new protocols that have been enacted and why it’s critical for them to follow them. Bi-annual training also gives your employees the opportunity to ask questions and better understand why protocols are in place.
Employees need to understand that cybersecurity isn’t something that “the IT people,” the MSSP, or anyone else is responsible for. Cybersecurity is everyone’s responsibility.
Cybersecurity software is continually updated to adapt to new threats and provide better security. These regular training sessions give your employees the chance to be brought up to date on any changes that have been implemented.
Perform Regular Audits
Regular audits ensure that your current practices are up to date, that critical data is properly backed up, that all software is up to date, and that dormant user accounts are deleted.
Twice per year, all your employees should be provided with cybersecurity training. If you choose to outsource your cybersecurity to an MSSP, you should consult them about what this training should include and see if they are willing to conduct the training.
As part of this training, you may want to consider running mock social engineering tests and tabletop scenarios. Social engineering involves tricking someone into either divulging personal information (such as a username or password) or taking action (such as clicking a link or opening a malicious file). Mock social engineering tests, such as sending out fake phishing emails in an attempt to get your employees to hand over sensitive information, is a great way to test the efficacy of your cybersecurity in a no-risk scenario. It can also help you identify which employees may need additional training.
Tabletop scenarios are similar to fire drills. You present your employees with a hypothetical cybersecurity incident, and using their knowledge and your current protocols they craft a response. Once the scenario is finished, your cybersecurity team can review how the company responded, identify any weak spots in your existing protocols, and adjust your protocols accordingly.
Even the best-laid plans aren’t useful if they are out of date. All cybersecurity documentation (including incident response plans and business continuity plans) should be reviewed quarterly. This should ideally be completed right before your bi-annual employee cybersecurity training so that your employees can be made aware of changes and updates almost as soon as they happen.
By scheduling this quarterly review right before your employees undergo their bi-annual training, you also allow your employees to become intimately familiar with any changes and test any new protocols in a no-risk scenario so that any problems can be addressed as soon as possible.
All user accounts should be audited monthly. This ensures that any stale (inactive) user accounts can be appropriately shut down. You can avoid having stale accounts on your systems by having your IT department work with the HR department to ensure that the accounts of offboarded employees are shut down.
User logins and other network traffic should be monitored daily. This helps your cybersecurity team flag suspicious activity more quickly. If you know Sally from accounting is currently on vacation in Tahiti, then your team knows that the person attempting to login to your servers at 2 am, using her credentials, from an IP address in Oregon is probably not Sally. If your organization wasn’t monitoring user logins, then you may not have realized there was anything suspicious about this login attempt, or that Sally’s credentials had been compromised.
You should also be backing up critical data daily, and reviewing the data to ensure it is backed up properly. If an incident does occur and all else fails, you can always restore your data from a backup. Having backups not only ensures that most, if not all, of your data can be recovered, but it also helps you get back up and running as soon as possible after an incident. However, you need to check that the data is being backed up properly. Depending on how much data you generate, and how much it changes from day to day, you may want to be checking these backups on a monthly, weekly, or even daily basis.
During the Employee Onboarding Process
All new employees should undergo cybersecurity training as part of their onboarding process. This ensures that they are familiar with your protocols, understand how to identify suspicious activities, and know who to report suspicious behavior to.
During the Employee Offboarding Process
When an employee leaves the company, their login and other credentials must be removed from the system. This ensures that their credentials can no longer be used to access private information or systems. Dormant accounts may be targeted by cybercriminals looking to gain access to your organization’s systems or be used by the former employee.
Why Set it and Forget it Fails: Case Studies
In 2013, Target experienced a breach that compromised the personal data (including names and credit card numbers) of millions of their customers. Though Target had systems in place to alert their security team about the suspicious activity, either no one was reviewing the details of the activity or went back to review how their cybersecurity systems were configured. As such, nearly 40 million Americans had their personal data stolen, which thieves used to create counterfeit credit cards.
In this case, not only were the systems in place not monitored closely, but additional safeguards weren’t in place. Not only do organizations need to layer their cybersecurity defense systems, but monitor those systems closely and listen to what the alerts are telling them. Like a home security system, an alarm is only useful if you pay attention to it when it tells you that someone just opened your front door, even though you know that no one is home.
Cerdant worked with an organization a few years ago that had taken a “set it and forget it” approach to their cybersecurity. Their organization had an unpatched server that was open to the internet, and cybercriminals were able to exploit that vulnerability and gain unauthorized access to their systems. After the incident, this company reached out to us to audit their current cybersecurity practices and take a look at their environment to see what had happened.
How Did Cerdant Solve the Problem?
We were able to identify the vulnerability and determine that it was caused by an improperly configured firewall. Had the firewall been configured correctly, the attack would have likely failed. To make matters even worse, the company hadn’t been regularly checking their data backups, so when they went to restore their data, they discovered that several years of data was lost. This occurred because a new administrator had changed the location of where the files were being stored on the server but had failed to communicate this, so the backups weren’t switched over to the new location.
Cybersecurity is complicated, with new threats appearing daily. Safeguarding your organizations’ digital assets effectively can seem like a daunting task, but that’s where MSSPs come in. A good MSSP will provide you with 24/7 monitoring, help you craft robust yet flexible cybersecurity protocols, and stay up to date on potential threats and attacks that could threaten your organization.