EDITOR ’ S QUESTION
HOW CAN TECHNOLOGY LEADERS ENSURE THE WORK PRACTICES OF THEIR COLLEAGUES DO NOT PUT THEIR COMPANY ’ S CYBERSECURITY AT RISK ?
ROB CHAPMAN , DIRECTOR OF SECURITY ARCHITECTURE AT CYBERA
This is a great question worth a regular revisit . The answer is a
combination of appropriate technology controls and enforced policy . The hard part is enforcing policy consistently .
We ’ re talking about limiting the blast radius of user actions whether unintended or subversive . People tend to choose the path of least resistance . You should build your policies and controls so that people make better choices .
Start with a risk assessment . When you examine your environment ask the question : “ What ’ s the worst that could happen if my employee does x ?” There ’ s no magic solution but rather a net gain of efforts across lots of domains .
Here are some ways to get started but consider bringing in a professional . Having a new set of eyes on your environment can often help uncover areas you might be blind to .
1 . Standardize on a set of controls to help guide your security program . If you have a compliance obligation like PCI it may help fill in some of these gaps . Getting started I recommend the CIS top 20 controls ( https :// www . cisecurity . org / controls / cis-controls-list /). Several of the items I list below are captured here and a few more I don ’ t have the space to list .
2 . Turn on multi-factor authentication everywhere especially email . MFA is the best bang for your buck .
3 . Segment your network . Printers , servers , workstations and infrastructure systems should be on their own network segments with appropriate firewall rules between them . You should not have a flat network where anything can talk to anything else it wants .
4 . Invest in an email security / firewall solution . These won ’ t catch everything , but they cut down on a lot of noise . Phishing is probably your biggest area of weakness for employee vulnerability .
5 . Remove unnecessary administrative access and practice least privilege . Your average employee should never be admin on their computer . They shouldn ’ t be root , domain admin , SAP _ ALL , or have full file server access . Build appropriate roles for users and remove all admin access .
6 . Install a good endpoint , detection and response ( EDR ) solution . Modern EDR platforms are generally really good at preventing malware , fileless threats and ransomware .
7 . Require MFA and encrypted VPN for any remote access to the environment . You ’ re probably not Google so don ’ t worry about anything fancier if you aren ’ t doing this . If you can remote desktop from home without VPN then you ’ re probably doing this wrong .
8 . No special snowflakes . I don ’ t care if it ’ s an executive or some remote salesperson . No one is exempt from security controls . Snowflakes kill security controls . If you ’ re a technology leader and you have admin rights to anything you ’ re probably over provisioned .
9 . Enforce long passwords . Don ’ t change them too often . Once a year is probably plenty . Whatever length you have set now is probably not long enough .
10 . Plan for failure . You should have regular backups and a Business Continuity plan for when things break . You should also be testing your backups regularly . Lastly , your backups shouldn ’ t be accessible from the systems that are being backed up .
32 INTELLIGENTCIO www . intelligentcio . com