We asked industry experts how technology leaders can ensure the work practices of their colleagues do not put their company’s cybersecurity at risk.
Here’s the response from Rob Chapman, Director of Security Architecture at Cybera.
“This is a great question worth a regular revisit. The answer is a combination of appropriate technology controls and enforced policy. The hard part is enforcing policy consistently. We’re talking about limiting the blast radius of user actions whether unintended or subversive. People tend to choose the path of least resistance. You should build your policies and controls so that people make better choices.
Start with a risk assessment. When you examine your environment ask the question: “What’s the worst that could happen if my employee does x?” There’s no magic solution but rather a net gain of efforts across lots of domains.
Here are some ways to get started but consider bringing in a professional. Having a new set of eyes on your environment can often help uncover areas you might be blind to.
- Standardize on a set of controls to help guide your security program. If you have a compliance obligation like PCI it may help fill in some of these gaps. Getting started I recommend the CIS top 20 controls https://www.cisecurity.org/controls/cis-controls-list/. Several of the items I list below are captured here and a few more I don’t have the space to list.
- Turn on multi-factor authentication everywhere especially email. MFA is the best bang for your buck.
- Segment your network. Printers, servers, workstations and infrastructure systems should be on their own network segments with appropriate firewall rules between them. You should not have a flat network where anything can talk to anything else it wants.
- Invest in an email security/firewall solution. These won’t catch everything, but they cut down on a lot of noise. Phishing is probably your biggest area of weakness for employee vulnerability.
- Remove unnecessary administrative access and practice least privilege. Your average employee should never be admin on their computer. They shouldn’t be root, domain admin, SAP_ALL, or have full file server access. Build appropriate roles for users and remove all admin access.
- Install a good endpoint, detection and response (EDR) solution. Modern EDR platforms are generally really good at preventing malware, fileless threats and ransomware.
- Require MFA and encrypted VPN for any remote access to the environment. You’re probably not Google so don’t worry about anything fancier if you aren’t doing this. If you can remote desktop from home without VPN then you’re probably doing this wrong.
- No special snowflakes. I don’t care if it’s an executive or some remote salesperson. No one is exempt from security controls. Snowflakes kill security controls. If you’re a technology leader and you have admin rights to anything you’re probably over provisioned.
- Enforce long passwords. Don’t change them too often. Once a year is probably plenty. Whatever length you have set now is probably not long enough.
- Plan for failure. You should have regular backups and a Business Continuity plan for when things break. You should also be testing your backups regularly. Lastly, your backups shouldn’t be accessible from the systems that are being backed up.”