The Wavelength: Security and Compliance

wavelength_1118Phishing. Ransomware. End users. The security threats facing today’s businesses are numerous, varied and increasingly harder to stop. Yet with the right information and plan, they can be mitigated and controlled. Do we need to live in fear in today’s volatile cybersecurity landscape? Our panel this month offers some solid advice.

There seems to be a new phishing attack coming out every day – how are you protecting your clients (internal and external) against these types of attacks?

Ryan Conlan: The phishing attacks have become much more common and our clients depend heavily on us to be an expert to adequately protect them. We take a multipronged approach by using a balance of technology and education, from services ranging from hosted email protection, managed endpoint security, remote monitoring, event monitoring and alerting, incident remediation, patching and managed vulnerability scanning to name a few. Our most notable components are the education of the end users with focused security training along with supplying world-class spam filtering.  User education seems to consistently have the biggest impact. We offer cloud-based end-user training through our partner KnowBe4, which allows administrators to track the progress of their employees’ security training and helps train end users to know what to look out for in a phishing email.  At the end of the day, all people need to double-check the sender’s email address to make sure it is not altered in any way, and if they suspect anything unusual to get their IT support involved.  This extends beyond the workplace and into our clients’ personal inboxes as well.

Tommy Gardner: We protect our clients against phishing attacks by providing complete security assessments and installing our equipment with built-in security measures. These security features, like malware protection, are built into the hardware and can automatically detect, stop and recover from attacks and corruption. Additionally, we offer protections that physically isolate each browser tab, downloaded PDF or document in a micro virtual machine (VM) to prevent web-based malware or email attachments from spreading to other connected devices on the network. These measures can protect clients internally and externally from malware, phishing attacks and other bad actors, going a step further than anti-virus software by embedding security directly into the hardware to prevent network corruption.

Bill McLaughlin: What we have done is create what we call our managed security suite, which is comprised of three different principles: User education, security information and event management (SIEM), and backup and disaster recovery. Within that managed security suite there are several different product offerings. User education is about creating awareness. Ninety-one percent of all phishing attacks get through the user community, so we perform mock phishing attacks without the user community knowing about them. We get the information back showing who clicks on what — essentially what bait they’re biting on — and then we provide training that is very general in terms of the cybersecurity landscape. We then tailor it more specifically toward the major gaps within their organization and their users. Additionally, there is a video the users are required to watch that ranges from five to 15 minutes, and when that’s complete, the users must test out of the training video. On a quarterly basis, we continue unannounced phishing attacks on the users, and if they click on something they’re not supposed to, a video or tutorial pops up taking them through what they did wrong and what they should have done. It creates ongoing awareness. I like to say we are creating end-user firewalls. Some other things that we do include multifactor or duo-factor authentication, making sure that firewalls are configured properly, that the switches are all configured properly, and that companies adhere to best practices. We restrict users from going to websites prone to having malicious content or malware. We don’t allow our users or their users to go onto any public-type emails like Gmail or Yahoo – if they want to access those types of emails they need to do it from their personal phone or tablet from a cellular data connection, and not a network connection within the organization.

Are you addressing GDPR compliance internally and/or offering services related to GDPR to your clients?

Conlan: We do have an internal GDPR team and we are addressing the GDPR regulation as a responsible global corporation. The GDPR gap assessments help our clients understand the regulation and what they are expected to do as a data processor or a data controller that works with personally identifiable information of EU data subjects. Our gap assessment helps firms comprehend and address the relevant issues that would keep them from being compliant and help them quickly identify and prioritize challenges and opportunities for improvement in their current processes and policies.

Eric McCann: Our devices are GDPR-ready, providing multiple, built-in security features allowing customers to meet several aspects of GDPR requirements. The security features are available across the entire product line and include access controls, audit logs and embedded OS protections.

What is the most common security weakness that you see in today’s business environment?

Stephen Cobb: Sadly, there are multiple security weaknesses that are common at companies today. Three that are top of mind right now are supply chain, remote access, and phishing – yes, it is still a preferred and effective attack vector for many criminals. Fortunately, there is plenty of information out there on how to reduce your organization’s phishing exposure. Likewise, the current trend of criminals spreading ransomware by compromising servers via Remote Desktop Protocol is readily addressable with technologies like two-factor authentication and VPNs. That leaves supply chain weakness as the most worrying because it comes in many flavors, from trojan code inserted in otherwise legitimate updates of business software to holes in the security of your vendors and suppliers that can be used as a conduit to breach your otherwise strong internal security. Use of the supply chain as an attack vector suggests criminal activities are maturing to stay ahead of company efforts to lock down their data and systems.

Conlan: The end users within organizations. The human element is still the weakest link in most businesses’ security. Most businesses have addressed infrastructure and software security, but many lack defined and documented security and/or password policies for their employees. Rarely do we see businesses without a firewall, anti-virus, anti-malware, spam filtering and physical security. What we do see is a lackadaisical approach where businesses do not require employees to take regular security training, nor do they test their employees on their learning to see if they actually put the training into practice. Password management needs to be in the form of a written policy followed by everyone, without exception. End users need to be educated on what their role is when it comes to security. A common misconception is that security is only handled by the IT staff. The reality is that security is the responsibility of everyone in the organization and they are all responsible for the part they play in securing their data.

Gardner: The most common – and overlooked – security weakness in today’s business environment is the office printer. Huddled in the copy room or relegated to a lone desk, unsecured printers are a weak link for attackers looking to gain access to an enterprise network. Today’s printers are connected devices, with internal storage and memory, and connected to the internet. Businesses need to treat printers as connected devices and implement endpoint security measures to secure their network at all access points. As the role of IoT and smart devices grows, every device on a network needs to be protected by secure built-in hardware or endpoint security safeguards.

McCann: Not knowing the capabilities of the device and configuring it to meet your business’s IT policies is a common weakness. Our devices are easily configurable to meet the needs of customers with highly sensitive needs. We have a common firmware architecture, so all customers have access to these features.  Customers have the ability to disable specific ports, restrict access, and audit the actions of the device, allowing IT policies to be easily adapted to our devices.

The average ransomware lies dormant within a network between 150 and 175 days before it unleashes itself.

McLaughlin: Users, first and foremost. That’s proven statistically. Outdated operating systems and hardware — companies not upgrading their systems to the latest and greatest, not spending enough money, and not creating enough awareness around the infrastructure. It’s extremely important to spend money to test your environment and make sure your users are trained. You can’t necessarily stop ransomware from happening, but you can mitigate your risk by doing things that help prevent you from getting it, and also by having proper backup and recovery. Then, if you have a disaster plan in place to get rid of the infection and recover quickly without reintroducing the virus or ransomware you can have little to no business interruption and most importantly, not pay the ransom.

The average ransomware lies dormant within a network between 150 and 175 days before it unleashes itself, so if you don’t have intrusion protection and intrusion detection you could have something lying dormant on your network. It is collecting data, learning and understanding your environment on your network,  ghosting your users for several months, and then when they go to launch their attack they know all the data they’re going to lock down, everyone you communicate with; they know who’s in accounts receivable and accounts payable, they know who does the wire transfers. By that time it’s a bit late. If you have the systems in place you’re catching it on the front end – it doesn’t have the opportunity to collect all this data. You can get it out of your network and go to the last clean backup and do the restore, not pay the ransom and be on your merry way.

According to McAfee’s latest Cloud Adoption & Risk Report, 22 percent of cloud users share files externally; sharing sensitive data with an open, publicly accessible link has increased by 23 percent and sensitive data sent to a personal email address also increased by 12 percent. Given that, what measures can organizations take to secure data in the cloud? What’s the best way for organizations to keep pace with rapidly changing compliance regulations?

Conlan: This is a real challenge that we see organizations struggle with on a consistent basis. How do you keep the technology lights on within a firm while you are trying to stay up to date with consistently changing regulations and compliance requirements? I believe that everyone needs to work with a reputable third party that can share industry best practices and perform gap assessments to whatever compliance standard they are trying to achieve. An annual security assessment is required for any organization to stay up to date with new regulations and compliance standards. Written policies and procedures on how to maintain compliance are also critical. We don’t allow companies to audit their own financial data for obvious reasons, and that same logic should apply to the adherence to compliance regulations.

Gardner: Complying with new regulations is not solely the responsibility of HR or the IT department. With digital transformation rapidly changing the technology landscape and the Fourth Industrial Revolution becoming a reality for businesses, it is important to design flexible policies that can scale and adapt to new regulations. The introduction of GDPR is the most relevant example of sweeping compliance regulations, affecting global companies, who are now re-evaluating their existing policies. The best way for organizations to keep pace with rapidly changing compliance regulations is to create future-reaching policies and implement them from the top down. By applying policies at a global level, regularly updating technology offerings, and training employees on the most recent regulations, companies can stay ahead of the compliance pendulum.

McCann: As compliance regulations continue to evolve, we recommend customers find a partner who is analyzing these regulations and providing responsive updates.  We try to stay a generation ahead of regulations with our devices, even if the functionality isn’t required yet.  A good example of this is our integration with Active Directory for authentication.  Our devices have supported this capability since 2012, even though it is just now becoming common practice for companies to configure and integrate devices in this manner.

Considerable resources – including diplomacy – are required to enforce the security promises made to you by your suppliers, vendors, partners, and contractors.

What’s the one security or compliance issue that makes you lose sleep at night?

Cobb: The supply chain again comes to mind because considerable resources – including diplomacy – are required to enforce the security promises made to you by your suppliers, vendors, partners, and contractors. Are they really giving all their employees regular security awareness training? Do they really make all employees use 2FA for network access? Have they updated their security policies and procedures since installing all those IoT devices and adding five employees in social media marketing? Do they have a ransomware scenario in their incident response playbook? You need to find a way to ask questions like this and verify the answers, otherwise you could be on the hook for a breach that came through your ever-expanding digital supply chain.

McCann: We find that compliance with updates is a huge issue, specifically customers who have not updated the firmware on their devices.  We continually provide new features, updates and patches for consumers of our devices via firmware updates.  Having a customer experience issues because a patch that is publicly available hasn’t been applied — either because they are not aware it exists or feel it is too complicated to update — makes for a tough day!

How do you prevent security breaches due to employees using their own devices and/or cloud storage?

Gardner: In the last six years, the percentage of breached notebooks and desktops has doubled and there is little reason to believe that trend will not continue. This is especially relevant given that more and more young people are seeking fluidity between their work and personal lives. They are looking to use the same types of devices in the office and as they do at home.

This has led to BYOD (Bring Your Own Device), where new devices are constantly entering and exiting an organization’s network. What’s important for organizations to remember is any employee device – whether within the walls of your office or sitting in your employee’s apartment – is an endpoint susceptible to a security breach. IT needs to treat these devices just the same, with enhanced security protocols, cloud security solutions, and mobile device management programs that can secure these devices wherever they go.

CompTIA’s report on the state of cybersecurity showed that though two-thirds of companies have formal policies and procedures for incident detection and response, two-thirds of firms said those steps have proven to be only moderately or slightly effective, or not effective at all. How can you create an effective cybersecurity or incident response policy?

Cobb: Effective incident response planning happens when all of the stakeholders are actively engaged, from the C-suite on down, and adequate time and resources are allocated to begin and then sustain the process. Unfortunately, the constant effort required to keep bad actors out of our networks can pull us away from creating, rehearsing and updating the incident response plan that has a vital role to play if any of those bad actors succeed. As with regular cybersecurity policies, things have to be kept current – I’ve talked to numerous companies that still don’t have a ransomware scenario in their crisis management playbook, just as their information security policies don’t make it clear that employees aren’t allowed to pay ransoms (which some have been known to do because it was easier than restoring backups). Fortunately, the first time there is an incident and your organization responds effectively thanks to a good plan, there will be a lot of praise for whoever made the effort to put the right policies and procedures in place.

Conlan: The creation of an effective security policy can be a daunting challenge for any organization. For a policy to be effective, it needs to be created with end-users’ goals in mind, and then it has to be enforced. Organizations of all shapes and sizes require a consistent level of enforcement of their security policies, and they simply can’t waver or give exceptions once those are instituted. Without consequences, people will continue to find workarounds to policies if it means saving them time or effort. Organizations need to find a solid balance of security and productivity so the policy is embraced and can be realistically enforced. Many times the policies are written by technology teams that either don’t understand or undervalue the daily workflows of the employees they are impacting. For a policy to truly be effective organizations should assign a cross-functional team or committee to assist in the development, the review, and the execution of their security policies if they are to be openly embraced and followed.

Gardner: Cybersecurity threats, protections, and solutions tend to be global in nature and must be addressed as such in order to ensure a more secure global IT ecosystem. We participate in a wide range of activities around the world, sponsored by commercial, governmental and academic institutions, to develop technical standards for IT and cybersecurity. Cybersecurity touches all aspects of our digital lives, from cloud and mobile computing to social media and the web. Enterprises, governments and consumers need cybersecurity policies that address network access, authentic identification and application permissions. Beyond network and cloud protections, security measures need to be built into hardware and other network access points.

McCann: We feel it is imperative to create a cybersecurity policy that allows for the most secure and efficient use of our devices.  An example would be when our customers utilize user authentication.  Some policies would say requiring the full email address to be entered as a username is the most secure method for authenticating.  Entering a 30-digit email address each time you make a copy is cumbersome.  Either supplying a PIN or card swipe for authentication greatly reduces this time spent, but also allows for an authenticated user record to be created.

McLaughlin: First and foremost, hire experts. Everyone is getting into cybersecurity because it’s hot and it’s the flavor of the month – but it’s here to stay, and too many people are getting into it with no expertise. Make sure you’re doing penetration tests and working with your infrastructure and network provider to fill in the gaps the test reveals. Make sure you’re hiring someone who is at a chief information security officer (CISO) level who can come in and put a written policy around the actual implementation of a security suite, making sure it is presented to senior management and then downstream. And most important, test — and this is where a lot of companies fall short. They implement policy, create a document around what the policy should look like, and they don’t test it. Their first test is when they have a breach, and then they find out the process doesn’t align with what has been deployed. Or maybe the users or senior management don’t understand what has been implemented and how to take action once a breach occurs. So when experts are engaged, the technology deployed and the process written, there then must be real live physical tests to make sure that everything is tried and true across the board — not only technology but the people and the process.