The Wavelength: Security and Compliance

The security and compliance landscape keeps getting tougher. We asked experts from all around the industry for their thoughts on security and compliance issues.

Wavelengthpanel-0521

How do you prevent security breaches due to employees using their own devices and/or cloud storage?

Roz Ho: Visibility, for starters, is king. Without visibility, you are extremely handicapped in what can be done, seen and prevented. Couple this with the acknowledgment that there really is no “perimeter” anymore and everything is accessible everywhere, focus on getting visibility where you need it and an extra level of authentication/access control to sensitive areas. Automation frameworks, especially in the cloud, are huge tools for being able to proactively get ahead of problems (e.g., detecting a misconfiguration in a cloud instance that could open up critical data).

Ryan Walsh: The ability for employees to use their own devices allows them to stay connected and agile and also sustained many companies over the last year. If not properly secured, it also creates opportunities for data breaches. Fortunately, there are several ways to secure devices and data effectively. Requiring employees to use an industry-leading virtual desktop, applying firewalls, and deploying multifactor authentication (MFA) enables secure work and prevents unauthorized access to company data and portals.

Employees should also be careful when accessing the internet and understand the dangers of public Wi-Fi. Public Wi-Fi presents additional threats and requires extra steps to protect employees in that environment. Companies should establish a virtual private network (VPN) to keep internet traffic confidential and turn on email encryption, ensuring only intended recipients view emails. Additionally, they should ask employees to use a personal mobile hotspot when working in public places to guarantee private and secure access.

While surveys indicate that about two-thirds of companies have formal cybersecurity policies and procedures in place, two-thirds of those firms have said those steps have proven to be only moderately or slightly effective, or not effective at all. How can you create an effective cybersecurity policy?

Randy Anderson: We’ve recently been working with quite a few clients in the SMB segment who do not yet have a comprehensive set of written information security policies. Often there are partial policies embedded in the employee handbook, which in many cases are in need of review and updates. Writing and implementing information security policies can be a daunting task. We take a very collaborative and educational approach to policy writing so our clients have a forum to ask questions and truly understand the intent of the policies and arrive at a state where the policies are compliant, secure, relevant, and achievable. 

Creating the policies is only the first step, though. A critical step that is often overlooked or underestimated is to implement an effective means of disseminating and training on the policies. There has to be support and oversight for this process. An effective method that we’ve employed is to form a security policy committee with representation from business leadership, human resources, and information technology. This group is responsible for selecting a method or tool for policy distribution and reviewing compliance.

Ho: Accountability is important to ensure an effective cybersecurity policy. Employees need to feel accountable for helping to ensure cybersecurity protections. Training employees is a critical part of cybersecurity policies since a cyberattack can occur because of one simple mistake or error that an employee makes. We have seen an unprecedented barrage of COVID-themed phishing attacks targeting remote employees. When writing a policy and training employees on the policies, there needs to be adequate information on the background for the policy, the employee responsibilities, and the consequences to the company of an employee not following the policy. Seeing examples of phishing attacks is one method of training that helps employees be on the watch for potential phishing attacks. But, policies aren’t enough on their own, you have to have detection and auditing enforcement — the more automated the better. Make sure your policies are appropriate for your enterprise and integrate with your existing workflow and don’t create additional work. The easier a policy is to “operationalize,” the more effective it will be.

What’s the best way for organizations to keep pace with rapidly changing compliance regulations? 

Bob Lamendola: The best approach is to assign one individual within the organization the responsibility for compliance. When this responsibility is shared amongst individuals or teams, there is a lack of consistency, connectivity and accountability to the specific requirements. By naming an individual to own the compliance program, there is a better chance of adhering to those changes as they occur rather than trying to learn about and catch up to them up over time. 

One of the more significant challenges in compliance management is the lack of a defined scope to which the compliance regulations are applied. By narrowing the scope for your compliance requirements to the specific needs of the business and clearly defining that scope, you enable the organization to have better control over the processes to meet those requirements and any changes. 

Walsh: Maintaining compliance regulations is a daunting task for a company of any size. Leveraging cloud technology designed specifically to help companies comply with those regulations streamlines the process and ensures they stay up to date. Advanced solutions help companies achieve internal compliance while also enabling them to satisfy the latest regulations. Clients can often tailor these solutions to their specific industries, such as medical, finance, or the government.

What are some of the newest ways you are seeing security breaches occurring within companies and what are you doing or can companies do to help stop those?

Anderson: Encrypting malware attacks have been increasing in frequency and impact over the past few years. The attackers largely focus on phishing attacks, credential harvesting, and email account takeovers in addition to exploiting a handful of technical vulnerabilities. My strategic advice is to stay current with the newest threats, perform regular vulnerability and risk assessments, have a Defense In Depth (DiD) strategy that is regularly reviewed and updated, and implement a vulnerability management program. On the more immediate, tactical side of the equation, it is imperative to implement MFA right away if it is not already enabled, eliminate direct Windows Remote Desktop Services (RDS) access through the firewall, establish a regular patching cycle for all systems, and implement effective endpoint and network detection, monitoring and response tools. For M365 administrators, schedule some time to regularly review your Microsoft Security Score and plan to take actions to improve your score over time. Test your backups regularly and ensure that they are complete and restorable and that you have offline or immutable copies of the backup data.

Corey Nachreiner: Though not new, authentication attacks have become a daily occurrence that fuel data breaches, often through RDP and VPN connections, or other network and cloud services exposed for home and remote workers. 

 Cybercriminals have found incredible success using the troves of stolen usernames and passwords available on underground forums to compromise organizations using password spraying and credential stuffing attacks. These attacks take advantage of the fact that many users still fail to choose strong and unique passwords for each of their individual accounts. Just look at the dark web and the many underground forums. There are now billions of usernames and passwords from various breaches, widely available, with millions added every day. These databases, paired with the ease of automating authentication attacks, means no internet-exposed service is safe from cyber intrusion if it isn’t using MFA.

Authentication is the cornerstone of good security, and MFA means users must provide at least one additional token on top of their password to log into an account. These authentication tokens are typically something you are (biometric fingerprint or facial scans), something you have (like a hardware key or mobile phone) and something you know (like a password). MFA allows you to ensure that even if an attacker gains access to one of these tokens, like a user password, they’ll be unable to log in without the second (and sometimes third) authentication token. It’s an absolute no-brainer when it comes to addressing the widespread and persistent issues around poor password security and should be a primary focus for both businesses and individual users.

Walsh: We are seeing a common trend in breaches with on-premise servers, such as the Microsoft Exchange hack earlier this year. When software companies create updates to fix security gaps or bugs, on-premise servers must be manually updated, taking days in some situations. The company is exposed to threats and breaches until it completes the updates. Migrating to the cloud prevents this type of security breach and eliminates the need for manual updates. When technology companies perform fixes to gaps and vulnerabilities, cloud software users receive an automatic update. These clients experience real-time enhancements that remove the manual process and secure them with the latest protections.

What are your best tips for smaller companies without massive resources to help them stay secure?

Anderson: Smaller organizations often don’t have the staff or budget to implement a full-scale information security program. Recognizing that budget, time, and separation of duties are major constraints for small organizations, I believe that the best approach is to begin with a comprehensive, risk-based assessment that addresses administrative, physical, and technical controls and then make informed decisions and prioritize resources and budget based on the data. The work of building or improving an information security program and prioritizing the selection and implementation of the most needed and cost-effective controls can often take 12 to 18 months or more. Objectively analyzing the environment and building a plan based on prioritized risk is the only way to effectively allocate budget and human resources. This is something that can certainly be done internally, but it is often helpful to have the guidance of a Virtual Chief Information Security Officer (vCISO) to guide the process.

Ho: Especially for smaller, non-enterprise environments, multifunction products and tool suites are key. Buy laptops that have more security integrated. Buy printers with more security integrated. The more that you remove the human cybersecurity analyst as a bottleneck and roll out tools that act proactively/reactively/automatically, the more you can get done. 

Lamendola: With the advent of cloud-based security services, it has never been more possible and feasible for even the smallest companies to plot a security strategy and roadmap. Every organization, small or large, can adopt a depth in defense – or a layered approach to security – enabling them to protect their organizations from the outside in. The best approach to comprehensively address security is to start with the perimeter, move to the platforms, reach into the endpoints and, ultimately the data. Supporting this approach with a well-defined security policy and ongoing security awareness training can make a significant impact. 

From a cost perspective, as-a-Service or subscription-based security services offer an effective entry point for all organizations. You can consume security services on a per user, per device or per location basis, enabling control over costs as you layer in additional security capabilities.  

Nachreiner: Outsource it! Many small and medium sized businesses can’t afford to keep a large IT staff, let alone hiring a security-specific staff (assuming you could even find them during the current cybersecurity skills shortage). Often, these SMBs will outsource their IT to a managed services provider (MSP) who can take care of IT infrastructure for them so they can focus on their primary business. These MSPs also offer managed security services, or you can even find focused managed security service providers (MSSPs) to whom you can outsource your security needs.

If you can’t outsource security for some reason, I would focus on really getting the basic best practices right and leveraging consolidated security solutions that give you many security controls in one place. For instance, MFA and patching both have high ROI. With most technical attacks leveraging old issues, simply getting basic patch management right will have a great return on your defense and it doesn’t require security experts to do. With most compromises involving lost or stolen credentials, deploying MFA to all employees is a simple action that gives a big return. Finally, many products like unified threat management (UTM), next generation firewalls (NGFW), and full endpoint protection (EPP) suites consolidate many security layers in one easy to manage product. Look for these consolidating technologies to make security easy if you don’t have a lot of resources or staff. 

Walsh: Smaller companies needing to secure their technology should reach out to an IT provider in their area. These are experts with the knowledge, capabilities, and resources to establish a comprehensive security solution that keeps companies and data safe. Through technology that detects potential threats, creates firewalls, and encrypts emails, these IT professionals improve their clients’ security posture. They are often small businesses themselves who understand the security needs and offer pricing options for all company sizes.

Do you worry about data center security?

Lamendola: In many ways, data center security has reemerged as a primary area of focus. Although many organizations have moved to cloud computing, these cloud environments are still hosted in physical data centers. By extension, their security procedures, policies, and methodologies extend into the physical data center. Assuming a zero-trust mentality, it is no longer acceptable to simply ask data center providers about their security capabilities. You must inspect, review, and verify security regularly. If you’re using a third-party cloud security environment, which is likely, that information should be readily available. You must ask the security questions of those providers, take responsibility for their processes, and hold them accountable for their commitments. 

What are your thoughts on cybersecurity insurance?

Anderson: Cybersecurity insurance is an absolute requirement given the risks that exist in the modern computing era with its emphasis on mobility and cloud computing. We’re seeing evidence that the insurance underwriting standards are becoming more stringent and that the insurance industry is doing its part to educate its clients and raise the standards. As with any type of insurance, shop around and get educated and make sure that you understand the policy limits and how they apply to the restoration of your IT environment. 

Nachreiner: I highly support cybersecurity insurance as another layer of your security strategy. It does not replace the technical security layers you need to protect yourself from a cyberattack (in fact, some insurers will want to check that you have those layers to give you the best price) but it does help when you suffer a security incident. When talking about security incidents, experts have always said, “It’s not a question of if, but when.” No matter what your organization is, or how good your defenses, you will one day suffer a cybersecurity incident of some sort. Even less severe ones can cost money, and the most serious ones can rack up millions in losses. It can definitely help to have insurance to cover those losses. 

Note, while often optional, cybersecurity insurance can also include “extortion insurance” add-ons. I also believe this add-on can be useful. Personally, I never believe in paying the ransoms for ransomware. It just ensures the criminal business stays highly profitable, causing it to continue. Furthermore, with proper backups and a business continuity and disaster recovery plan, businesses should be able to survive these ransomware attacks.  

That said, I understand that not all businesses are perfect, nor do they all have the right plans or backups in place. If you’re a hospital and need access to imaging data or allergy data to operate on a patient, but can’t recover your data, ransomware becomes life and death. Having extortion insurance at least covers you for some of these damages if you have to pay. That said, I do believe the extortion insurance side of cybersecurity insurance is ultimately shortsighted and will cost more for insurers due to the rise in ransomware and extortion requests. In any case, the normal cybersecurity insurance is well worth its cost. 

Cybersecurity insurance is not for everyone. There are many factors that need consideration, including the sensitivity of the data you are protecting, the industry you work in and the size of your revenue stream. Once you have determined that cyberinsurance is for you, be sure to hire a seasoned insurance broker with cyberinsurance experience. Cyberinsurance does not make up for sloppy security practices, but is a powerful piece of a comprehensive plan to mitigate risk and defend against cyberattacks.

How has the remote workforce and the increased dependence on the cloud affected your customers’ security and/or created additional needs?

Anderson: The rise of mobility and cloud computing has permanently changed the dynamics of information security over the past few years, and the rapid increase in work from home initiatives over the past year have reduced the effectiveness of traditional perimeter-based solutions. The corporate network is now everywhere and nowhere. Effectively managing this reality requires updated policies, procedures and technical controls that include mobile device management solutions and Endpoint Detection and Response (EDR). End user security awareness training also needs to be updated to reflect the new risks.

Many organizations did what was necessary and expedient over the past year to enable their employees to work from home and haven’t revisited their policies and technical controls. There is an opportunity now as organizations permanently move toward work from home or hybrid models to spend some time and budget addressing security in the home office and updating their policies and technical controls to better reflect the new world.

Ho: The pandemic has shifted work to home and exposed new vulnerabilities of using personal home equipment to complete work tasks, and by companies rushing their digital transformation of workflow to the cloud in order to keep workers working. These two factors have poked gaping holes in what used to be a very secure and controlled line of defense for work. There are increasing concerns over the security and privacy of growing data lakes of individual, small business, and corporate information which could include consumer data, business data, channel partner data. With increased cloud usage, and more work being done remotely from a mix of company and personal devices, it’s important to have multiple depths of authentication, as well as the need for data classification, persona development, and foundational pieces that support a zero trust future.

Walsh: The urgent need to work remotely accelerated the demand for cloud technology and enhanced security solutions. We experienced a dramatic increase in cloud security adoption and usage over the last year as our partners secured their clients’ virtual workplaces. Doing this also requires enabling the right capabilities and establishing correct user permissions. Providing employees role-based access to data, tools, and technology reduces the risk of exposure. Additionally, some security features may not be necessary for an office setting but are critical in a remote landscape. We focused on educating and enabling our partners on the applications and correct deployment of cloud security solutions during this time.

Ransomware – how do we deal with this exploding issue?

Anderson: We’re long past the point where the trusted old solutions are no longer adequate. While there is still a need for good firewalls and antivirus, these solutions are simply not enough to combat the current threats in the modern IT environment. Unfortunately, there is no single solution to the problem and end users have largely moved outside the control of the corporate firewall. Defense in depth, a long-held principle in cybersecurity, is still the best solution, but the solution set needs to expand to address this threat.  At a minimum, organizations need to implement MFA, EDR, Security Information and Event Monitoring (SIEM) solutions, vulnerability management, and effective end user security awareness training.  

Even with these controls in place, the number of servers affected by malware due to the recent Microsoft Exchange server vulnerabilities has shown that companies that have taken a proactive approach to managing vulnerabilities and that have done everything else correctly still have a need for an incident response plan that has been updated and tested on a regular basis.

Lamendola: With ransomware, the threat actors are after the data, therefore, the best defense against ransomware is an extreme focus on protecting data. While there are several other security measures that can and should be taken, having effective and verified data backups is the number one priority. Taking a multi-layered approach to data protection is equally important to helping ensure that the capabilities are functional, effective, and scalable. 

Beyond protecting data, it is extremely important to try to ensure all users are trained and tested regularly on how to detect and recognize potential phishing attacks. The best technology protection in the world will be challenged to protect against a mistake made by an end user. Therefore, all appropriate security technology must be deployed, and end users must be educated about security compliance to holistically protect against ransomware. 

Nachreiner: To beat ransomware, we need to stop paying, period. That is really the only thing that will make it stop, in my opinion. If an attacker can make $5 to $50 million from a business by infecting it with ransomware, they will continue to do so. If we don’t take away their source of profit, or make it far too expensive for them to do this kind of attack, it will continue to impact businesses.

So, how do we make sure we don’t pay? Businesses need to actually do the well-known and recognized preparation and remediation best practices security experts have recommended for ages: backup and business continuity and disaster recovery (BC/DR) planning. It sounds simple because at a high level it is. However, in practice, these two simple-sounding things are indeed quite hard to execute correctly. Backup becomes very complex when you think of larger organizations with data at the office, in the cloud, and on remote devices. You also need to store that backup in more than one way, with redundancy, to protect the backup itself. Then you need to ensure restores are also smooth and quick as well. BC/DR planning isn’t necessarily hard, it’s just more work for some unclear future event that may or may not happen. When businesses and IT departments have hundreds of things to do, spending the time to plan how your business will digitally recover from a disaster that may never surface can feel like a waste of time. It is not. When a disaster does strike, that planning can make all the difference. Human nature often causes us to put off this sort of proactive remediation planning, but we must overcome that tendency and perfect these two security strategies. If you can get backup and BC/DR right, ransomware will not affect you.

Prevention is still very important, too, and many companies can do more to prevent evasive ransomware. Basic anti-malware protection is no longer enough to catch the morphing ransomware we see today. You need the more sophisticated behavioral or machine learning-based anti-malware solutions available now. Our research has found that between one-third and one-half of all malware attacks use evasion or obfuscation techniques to bypass traditional, signature-based antivirus solutions. Without more proactive anti-malware, modern ransomware could skirt right past your defenses.