The Wavelength: Security and Compliance

Security and compliance requires a lot of expertise and a lot of answers. We bring you both in this month’s panel.

What is the biggest compliance issue your clients are facing lately?

Chris Miller: Not fully understanding what they need to do in their environments. Compliance can change, and customers don’t know how, or understand who to turn to, to get the correct answers. Sometimes they don’t understand what is required to meet the compliance requirements or will not want to spend the money to meet the requirements.

Brent Riley: Most of our clients are very security conscious, so many of the basic issues are already addressed. They exert considerable effort to effectively and efficiently employ data governance. Knowing where sensitive and protected data lives, ensuring it does not move to areas it should not be, and making certain that only authorized personnel have access to it is a challenge. Add in the further layer of logging data access and interaction events to document compliance and detect anomalies, and the required tech stack can get very involved and expensive very quickly.

How do you prevent security breaches due to employees using their own devices and/or cloud storage?

Randy Anderson: Data is everywhere now, and a modern approach requires knowing where it is and who has access to it. Like many aspects of information security, this requires a layered, defense-in-depth approach. The first place to start is to draft policies that are easy for employees to understand and comply with. These policies should address acceptable use and bring your own device (BYOD) requirements for end users at a minimum, and they need to have some teeth when it comes to addressing noncompliance. Companies that use Office 365 and similar cloud solutions have a wealth of options that they can employ from a security, compliance, and data loss prevention standpoint, and these should be implemented to the extent required by written information security policies. Cloud storage services that are not approved by the organization should be blocked, but doing so is more difficult now that so many people are working hybrid and fully remote. An agent-based approach on the laptop is a must versus traditional firewall-only solutions. 

Drew Sanford: One of the ways to prevent security breaches due to employees using their own devices and/or cloud storage is to implement a BYOD policy that defines the rules and responsibilities for employees who want to use their personal devices for work purposes. Another way to prevent security breaches due to employees using their own devices and/or cloud storage is to use a cloud access security broker (CASB) solution that acts as a gatekeeper between the organization’s network and the cloud services that employees use. A CASB solution can enforce security policies and controls, such as authentication, encryption, data loss prevention, and malware detection, across multiple cloud platforms and applications; monitor and audit the cloud activities of employees and detect any anomalies or threats; and provide visibility and reporting on the cloud usage and compliance status of the organization.

While surveys indicate about two-thirds of companies have formal cybersecurity policies and procedures in place, two-thirds of those firms have said those steps have proven to be only moderately or slightly effective, or not effective at all. How can you create an effective cybersecurity policy?

Anderson: Let’s face it, creating, maintaining, and enforcing policies is not fun for most people. Policies alone will not keep an organization secure, but they are the rules for the game and a necessary component of a mature information security program and a well-run organization. They instruct employees, managers, executives, and IT folks on what the business expects. From there, people can make informed decisions about technology selection, use, management, and access. The most important advice I can give when creating policies is to make sure that they are easy to understand and follow. Whenever possible, state policy requirements and expectations in terms that are free of security and IT jargon. Also, make sure that your policies are reviewed and updated annually. We often see policies that are so outdated they still refer to things like dial-up modems and MySpace.

Jonathan Blakey: It’s a great question that I would challenge by saying that a written policy or procedure by itself does nothing to affect security. I’ve come across a lot of MSPs and companies out there are using stock templates from their HR provider to meet some compliance requirement without actually making sure the procedures and policies mentioned are being followed. They never have had a conversation with the customer about it! How can a policy or procedure be effective unless it creates a change that makes a company more secure? I would argue it is more dangerous to have a policy that is not enforced than to not have one at all. So the way to create an effective cybersecurity policy is to start with basic cybersecurity defense, have monitoring in place to identify exceptions and events, and lastly, educate your customer on what they have, why they have it, and what their role is in making sure it is working. That information has to be shared and followed by all and everyone should be encouraged to speak up when something isn’t falling in line with policy. Cybersecurity is everyone’s job.

Steve Inch: Formal cybersecurity policies are merely the first step in ensuring a corporate network and endpoint devices possess a secure posture in the face of the ever-evolving threat landscape. The efficacy of security policies is dictated by the actionable processes and procedures established by the organization and the implementation, monitoring, auditing, reporting, and refinement of internal processes and procedures to best manage people, technology, and processes required for an effective cybersecurity policy. Simply having a formal cybersecurity policy is not enough. Actionable steps taken to ensure implementation and education of end users/employees are vital to how well a cybersecurity policy is enforced and followed.

Riley: In order for a cybersecurity policy to be effective, it must realistically consider the Confidentiality, Integrity, and Accessibility (CIA) triangle. Most policies I’ve seen are well intentioned, but they are clearly written by a cybersecurity expert with their priorities in mind and skewed toward “confidentiality” and “integrity.” If a policy prevents employees from being able to effectively do their jobs, it has ceased to serve its function. My recommendation is to test a new cybersecurity policy with each department that it serves and address the “accessibility” issues as they arise so the policy can accurately reflect how it works in production and will be enforceable.

Sanford: I believe the question is very enterprise focused and is not truly indicative of the SMB sector. To create an effective cybersecurity policy, an organization needs to follow these steps: Conduct a risk assessment to identify the assets, threats, and vulnerabilities that affect the organization’s cybersecurity posture; define the objectives, scope, and roles and responsibilities of the cybersecurity policy, and align it with the organization’s mission, vision, and values; establish the cybersecurity standards, guidelines, and best practices that the organization will follow to protect its assets; implement the cybersecurity controls and measures that are appropriate for the organization’s risk profile, such as firewalls, antivirus, encryption, backup, and incident response; train and educate the employees and stakeholders on the cybersecurity policy and their respective duties and obligations; and monitor and review the cybersecurity policy regularly and update it as needed to reflect the changing threat landscape and business environment.

What’s the best way for organizations to keep pace with rapidly changing compliance regulations?

Riley: If an organization can afford it, having a fractional or virtual CISO or a Chief Compliance Officer is the best approach to ensuring that an entity remains compliant with all new regulations. If this is not feasible, then subscribing to online news feeds is a great way to be alerted when new regulations emerge so they can be reviewed and determined if applicable.

Sanford: Adopt a proactive and agile approach to compliance management. This means that organizations should: stay informed and updated on the latest compliance requirements and trends that affect their industry and region, and subscribe to relevant sources of information, such as regulatory agencies, industry associations, and compliance experts; assess and evaluate the impact and implications of the compliance changes on their business processes, systems, and data, and identify the gaps and risks that need to be addressed; plan and prioritize the actions and resources that are needed to implement the compliance changes, and allocate sufficient time and budget for the transition; communicate and collaborate with the internal and external stakeholders that are involved or affected by the compliance changes, such as employees, customers, suppliers, and auditors, and solicit their feedback and input; test and verify the effectiveness and efficiency of the compliance changes, and measure and report the outcomes and benefits; and continuously monitor and improve the compliance performance and maturity of the organization, and seek opportunities for innovation and optimization.

What are some of the newest ways you are seeing security breaches occurring within companies and what are you doing, or what can companies do, to help stop those?

Shivaun Albright: There are many ways that security breaches can occur in companies, but the following are probably the most prominent that we have seen: Social engineering attacks, which exploit human behavior to gain access to sensitive information. This would include phishing emails. Insider threats are also an issue where a disgruntled employee intentionally compromises a company’s security. Supply chain attacks are also occurring where a third-party vendor or supplier gains access to a larger company’s network.

Anderson: Phishing and business email compromise (BEC) attacks, by some estimates, affected over 85% of all companies last year. Email scanning services provide a partial solution, as do making sure that proper settings for email security protocols like DKIM, SPF, and DMARC are in place. Multifactor authentication (MFA) must be used, along with conditional access policies to limit the networks, devices, and geographies from which a user may log in. Yet all of these technical controls are meaningless if end users are not trained on how to identify and report suspected threats coming in via email. A recent trend that we are seeing is a high prevalence of phishing emails that are coming from other compromised accounts. Because they are coming from legitimate accounts, these phishing emails often fly under the radar of all of these technical controls and are successful in claiming a new victim whose account will, in turn, be used as a launching pad for additional attacks. End users are still the weakest link and the best defense against phishing and BEC. Effective end user training and education requires building a culture of security from the top down and implementing training programs, phishing simulations, and other security awareness techniques. It must be part of the day-to-day operation of the business and not just something that is talked about occasionally.

Miller: Social engineered attacks are one of the newest, and companies can reduce risk by providing ongoing security training to all users that will be on the company’s network.

What are your best tips for smaller companies without massive resources to help them stay secure?

Albright: Ensure that all software, including antivirus and firewalls, are up to date with the latest security patches and updates. Set devices to automatic firmware updates as appropriate. Educate employees on how to identify and avoid common cyberthreats such as phishing emails and malicious links. Use strong, unique passwords for all accounts and enable two-factor authentication wherever possible. Limit access to sensitive data by only giving employees access to the data they need to do their job, and regularly review access permissions. Regularly back up data to a secure, offsite location to ensure that it can be recovered in the event of a cyber attack or data loss.

Blakey: Start with a solid foundation; the biggest impact items to cybersecurity are not that expensive or hard to administrate. Cybersecurity is most effective in layers and each layer (user, endpoint, network/edge, cloud (public internet)) should have advanced cybersecurity defense. For instance, with user-level cybersecurity, the most effective security tool is MFA. A study at the end of 2022 showed that only 26% of Microsoft 365 users had MFA enabled, but 99.9% of Microsoft 365 user breaches were on accounts where MFA was not enabled. MFA does not cost extra on Microsoft 365, nor is it particularly difficult to implement, so the excuse was that it is inconvenient or simply ignorance that it even existed. Currently, MFA is the biggest preventer of breaches once user passwords have been compromised.

In regard to endpoint security, a managed detection and response (MDR) security tool is paramount. This security tool utilizes AI heuristics (learning) and user behavioral mapping to identify never-seen-before-threats and stop them in their tracks. Many MDR tools have a security analyst team that is monitoring and managing incidents and intervening if needed to stop an active attack. These tools are very cost effective but make a big impact on a company’s security stance, regardless of size.

Riley: Keep it simple! If you are a four-person optometry office, you do not need a web server or a database server. Utilize SaaS solutions for your electronic health records (EHR), employee payroll, email, and appointments. Host your website with a full-service hosting provider and ensure that MFA is utilized everywhere.

Sanford: Focus on the basics and essentials of security, such as patching, backup, antivirus, firewall, and password management, and ensure that they are implemented and maintained properly and consistently. Leverage the cloud and managed services that can provide scalable, flexible, and cost-effective security solutions and support, and reduce the burden and complexity of security management. Adopt a risk-based and prioritized approach to security, and identify and protect the most critical and valuable assets and data of the organization, and allocate the resources and controls accordingly. Empower and educate the employees and stakeholders on the security roles and responsibilities, and foster a security-conscious and responsible culture and behavior. Seek and utilize the security guidance and assistance that are available from the government, industry, or professional organizations, and benefit from the security resources and programs that are designed for small and medium businesses.

What are your thoughts on cybersecurity insurance?

Albright: Cyber insurance can provide a positive outcome to help mitigate the financial impact of a cyber attack, thus reducing the potential losses a company may face. In addition, many cybersecurity insurance policies can provide access to expert assistance in the event of a breach, helping companies respond quickly to cyber attacks. The downside of cybersecurity insurance is that it could give a company a false sense of security where the company becomes complacent and neglects cybersecurity best practices.

Blakey: Cybersecurity insurance has become a lot like health insurance in that the cost of cleanup and remediation has skyrocketed to a point that most companies cannot afford to not have it. The cybersecurity insurance industry as a whole is really just emerging from its infancy where it’s been very difficult for them to get actuarial data on what the risk was there, and therefore what premiums should be. The cybersecurity insurance industry lost its collective shirts in the earlier days because of more frequent and more expensive remediations than they expected, which has led to extremely strict underwriting practices, high premiums, and a lot of companies leaving the cybersecurity insurance category altogether.

The ones that stayed have been quick to deny claims when information on questionnaires has been proven to be incorrect or when exact remediation procedures have not been followed … which in some cases, has meant a company being unable to operate for weeks waiting on cleanup to start. There are some cybersecurity insurance companies that have figured this out and know what levels of security affect risk, but they are the exception right now, unfortunately.

Riley: As long as ransoms run in the hundreds of thousands or millions, and business interruption can cost even more, cybersecurity insurance is necessary for many companies to afford to respond to an incident and get operating again. Without cyber insurance, all but the largest companies could be catastrophically impacted by a common cyber incident.

How has the remote workforce and the increased dependence on the cloud affected your customers’ security and/or created additional needs?

Albright: The shift to a remote workforce has had a significant impact on security. It has increased the attack surface with more employees working from outside the corporate firewall and accessing company data and systems, which provides more opportunities for cybercriminals to exploit vulnerabilities. Storing data in the cloud can increase the risk of data breaches with an expanded attack surface. 

Anderson: While the cloud has brought vast improvements to the availability, stability, and security of IT, there is a misconception that simply because data is hosted in the cloud it is secure. The biggest counterpoint to this notion is that there is still a risk that data can be downloaded from these systems and stored in places it shouldn’t and shared with people who shouldn’t have it. Data and controlling access to data has to be the focus. 

Blakey: The remote workforce has changed the security landscape immensely because users are no longer guaranteed to be protected behind the “safe space” of a firewall on the company’s network. Access to company resources from the friendly neighborhood coffee shop is more common, leading to the concept of zero trust being more prevalent. Zero trust assumes that any company resource access should be authenticated and secured by user, regardless of location, which has led to the prevalence of identity management, access control, etc. 

Miller: It has widened the attack surface to any company that has remote workers and has email and or is using the cloud. It’s no longer a single point of entry. We all have more data that is accessible. All of this accessible data requires more areas that need protection and tools that all companies should be investing in.

Riley: An unmanaged remote workforce is a huge risk, but once encrypted corporate laptops are used with installed monitoring and security software and connections to the corporate office are through an MFA-protected VPN, many risks are mitigated. Migration of services and resources to the cloud has generally been a good thing. It mitigates risks associated with disasters, allows for additional layers of security, and makes immutable backups a snap! The main issue I’ve encountered with cloud migrations is when the party performing the migration fails to configure security protocols or accidentally leaves data unsecured, which is easy to do when setting up cloud infrastructure. 

Ransomware – how do we deal with this exploding issue?

Miller: Best practice is to have a very good and robust backup solution along with tools that will notify the IT staff that there is a possible breach happening. 

Riley: I’ve been fighting ransomware since its inception and have been fortunate to be able to brainstorm with some of the top minds in cybersecurity over the years.  My conclusion is that ransomware risk can be managed but not eliminated at our level.