Every high-profile hack reminds C-suite executives of the stakes involved in their cybersecurity programme. Then the budget swells for the task of safeguarding a company’s data, even as senior management frequently don’t have the expertise to decide how best to prioritise the various elements of a programme.
It becomes easier to hire a small army of vendors – each with their own promise of additional layers of security without knowing if vulnerabilities remain – even after the all that time and expense.
The reality is there will always be vulnerabilities, because the weakest link of any programme is the employee that ends up clicking on the wrong email and unlocking the whole system for an intruder.
Cybersecurity efforts consequently need to begin with the end user in mind. This means a security awareness programme stands at the centre of any effort, with regular training and testing of employees. In case that employee still clicks on a suspicious link, there should be an incident response plan to prepare for a worst-case scenario.
There should also be advanced endpoint protection in place to ensure that any breach caused by a user is contained. In addition to that, IT departments should log and monitor to stay vigilant for potential threats.
According to Verizon’s 2017 Data Breach Investigations Report, 43 percent of breaches begin from social attacks (attacks based on the human element), with 90 percent of those employing some variety of phishing. In short, employees can make the most robust cybersecurity programmes irrelevant by inviting the hacker into the system by clicking on an unknown email.
Experts say that is often due to an insufficient security awareness programme. The best programmes involve an assessment of the current set-up, training that is tailored to an employee’s unique learning capability and testing of that awareness on an ongoing basis.
“Ask yourself how many times users have inadvertently introduced malware into the environment by visiting a malicious website or attaching removable media to company machines. Did they notify IT, or was the malware found via detective technical controls?” says Candice Moschell, of consultancy Crowe Horwath. “Understanding the root cause of your incidents can reveal potential programme gaps.”
A survey of employees’ security awareness can also highlight frequent gaps in knowledge, which can then become a key topic of subsequent training initiatives. Experts warn that these surveys reveal a shocking lack of knowledge on the part of employees, but can also give any future training effort real focus.
After the survey is complete and the results reviewed, experts stress the need to create a risk-based approach to training. For example, HR staff are frequently targeted by phishing scams due to their access to high-value personal information. Accounting staff can also be frequent targets due to their access to financial information.
Once employees are prioritised by risk, the training effort needs to be further tailored to the unique learning styles of the employees. Cybersecurity experts caution against one-size-fits-all programmes, with a reliance on slide deck-driven, computer-based training.
Instead, awareness training should include some mix of more proven methodologies. One is mixing mediums through a combination of videos, social media and personalised emails. Two, the gamification of training, such as offering security versions of classic games like Jeopardy or Balloon Pop, has been proved to tap into intrinsic physiological responses that motivate staff. Three, security issues can be translated into the real world, with examples that include their personal lives, that can further instil lessons into an employee’s thinking.
That training should be followed up with another survey of security awareness, within six months of the initial training effort. But the evaluation shouldn’t end there. “The most common gap in cybersecurity awareness training programmes is the lack of testing employees as it relates to phishing,” says Chris Wilkinson, also of Crowe Horwath. “So the IT staff or an outside vendor should do phishing testing, as there are tools out there that provide this functionality, to see how employees will react.”
Tracking the metrics of such exercises can also shape further training sessions, as it will identify employees who habitually lag on awareness issues, and determine if a company’s security awareness is improving.
Even if employees score off the charts in security awareness, that doesn’t prevent momentary lapses in judgment, not to mention the threats that don’t require clicking the wrong link. Therefore, another key element of a cybersecurity programme is the development of incident response plans, so the organisation knows what to do in the event of a breach.
This requires an assessment of the biggest risks for an organisation. One IT expert inside a large corporation stressed the need to focus on the most sensitive data a company has within its network. There can’t be a plan for every eventuality, but there can be a set of processes for likely ones that would target the data a company is most concerned about compromising.
Some common incidents worth planning for include malware outbreaks, denial of service attacks, web defacements, account compromises, internal privilege misuses and third-party breaches. One IT chief argues that the key elements of this plan are procedures for containment and eradication before anything else, to limit the damage of a given breach, even if its impact has already been felt.
Impacts to consider include outage of a customer-facing website; sensitive company information publicly available online; a news headline featuring a security lapse; or a third-party notification, such as law enforcement or an internet service provider. Those impacts should dictate who contributes to that incident response plan. “Information security and IT will take the lead in developing a response plan,” says Wilkinson. “But depending on the kind of incident, legal, marketing, external affairs and business units will also play a role.”
This requires periodic verification, so that each group is aware of their responsibilities in the event of a breach. Any room for interpretations in these duties might lead to scrambling and responses that make the breach even worse.
Thankfully, there have been advances in cybersecurity tools to help prevent a company from having to execute any of those worst-case scenario plans. Advanced endpoint protection solutions, commonly known as endpoint detection and response (EDR), can improve a company’s ability to detect and respond to outsider and insider threats by supplementing the traditional signature-based technologies for richer, behaviour-based anomaly detection and visibility across all endpoints.
To achieve this type of visibility and protection, an organisation must determine what assets they wish to protect and what type of integration value the EDRs can provide. Again, it’s a matter of determining the highest-risk areas and making them a priority for protection. Organisations should evaluate multiple EDRs and perform a cost/benefit analysis of them to determine the best one that fits their organisation.
LOGS AND WATCHDOGS
Most end users won’t be aware of these additional protections, but some IT staff will face limits on what they can install and what programmes they use. So, it’s important to work closely with the internal staff as EDRs are installed to avoid any hiccups.
It stands to reason that the better view an IT staff has of ordinary functions, the swifter they can recognise any suspicious activity. The security information and event management (SIEM) solution becomes a central point for all security events and alerts as well as operational events and alerts. While other tools will be used for visibility and deep dives into data and systems, investigation efforts all start at the SIEM.
However, experts note that the most mature organisations also integrate operation logging and monitoring to provide additional context to both operational and security-relevant events. Additionally, the best cybersecurity programmes build and maintain activity baselines that alert on anomalous activity within the environment. These baselines provide alerts and insight into activity that may not be malicious in nature, but represents a change in what is ‘normal’. “This type of detection can be invaluable in early detection of a breach or of an impending operational issue,” says Moschell.
In a best-case scenario, a mature logging and monitoring programme incorporates logs from the various layers of technology, including servers, workstations, databases, networks and applications.
“This information should be aggregated into a single location and correlated for activity that needs to be investigated, thus giving companies greater visibility into what is happening on their system,” says Wilkinson. “Mature organisations are leveraging security assessments such as penetration testing to test the effectiveness of the programme and improve alert settings to incorporate more advanced levels of attacks.”
Like every other element of cybersecurity, it requires doing more than installing a lock. That lock should be tested and retested to ensure its viability against hackers who are constantly evolving to beat the best safeguards.