September 14, 2021
Good morning, everyone!
This week’s critical vulnerabilities:
Patch All the Things!
Breaking down those “best practices” from ERISA (part 2)
Back in July, I started writing about the list of cyber security best practices released by the Department of Labor. I broke down the first three on the list in my July 20 newsletter, and I’m going to tackle four more today.
Clearly define and assign information security roles and responsibilities
Sure, small organizations don’t have CTOs or CISOs or even IT Security Directors, but there is still usually someone who is “responsible” for information security, whether voluntarily or by designation. What kind of information security “responsibilities” need to be assigned? Here are a few things that someone needs to maintain:
- List of active network accounts
- List of network/software permissions
- List of passwords for shared accounts
- List of access devices (keys, fobs, swipe cards, alarm codes, copier codes)
Part of your new hire onboarding procedure should include a form that defines what network/software permissions that person should have, what kind of access, etc. Part of your exit procedure should be revoking those permissions, closing those accounts, retrieving those access devices. I can cite dozens of cases where former employees have used their accounts for malicious purposes, and of course the recent big ransomware incident at Colonial Pipeline was due at least in part to a remote access account still active though no longer needed (and the password had apparently been stolen and leaked on the dark web).
Can you think of more things like this in your particular organization that could be managed a bit better?
Have strong access control procedures
What does this mean? First of all, don’t just put all your data into a single shared folder that everyone can access. Think about “the need to know” – not everyone needs to know everything! Sensitive data in particular should have additional protections (separate passwords, for example, maybe multi-factor authentication (MFA)).
Have individual accounts for each user, with their own (good! strong!) password. Limit or eliminate shared “role” accounts that make it difficult to track activity to a particular person.
Protect cloud/managed assets
The full control states: “Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.” What does this mean?
Many people don’t think “hosted” or “managed” services could be in the Cloud, but they often are! Talk to your service providers about security options. Definitely require MFA whenever that’s an option. Ask about encryption. Is it possible to restrict access to your data only to your IP address(es)? Arrange for local backups of your data, rather than relying entirely on the service provider. Ask about their security policies, their incident response plan and business continuity plan. If your service provider loses everything to ransomware, so may you -- and sometimes they just close up shop, leaving customers in the lurch.
Conduct periodic cybersecurity awareness training
Hey, they are singing my song! I firmly believe that effective training for employees is critical to protecting data in any organization. Remember, your employees are NOT the weakest link in your organization if they are properly trained – they are your last line of defense! When that brand-new malware sample gets past all your technical defenses and lands in an employee’s inbox, but that employee does not open that infected attachment or click on that suspicious link, that employee has just saved your organization from a potential data breach. Invest in employee training! Contact me to schedule!
What is your biggest security-related challenge?
I'd love for you to reply to this email with just one sentence, one phrase or even one word. What is your biggest security challenge? What do you worry about? What do you fear? What do not understand? I'll tackle everyone's answers in future newsletters! I want to be sure that the information I'm providing each week is relevant to YOU.
Catch you again next week!
Talk to you again soon!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺