To mitigate threats, security leaders can lean on established guidance and develop a four-part cybersecurity strategy that focuses on authentication, assets, training, and the cloud.
1. Strengthen authentication
User authentication has been a sore spot in cybersecurity for decades. With the shift to partial or fully remote workforces and the rise of cloud computing, authenticating employee identities has only become more critical. How can organizations confirm that the employees attempting to gain access to company resources are who they say they are?
Historically, the general convention for strong authentication has been multiple, robust forms of authentication. The obvious solution is multifactor authentication (MFA). (An aside: If your organization doesn’t already have MFA for all external logins, please stop reading here and go implement it.) With MFA in place, if one factor of authentication such as a username or password is compromised, a second line of defense such as a push notification to a phone can prevent unauthorized access. Another acceptable form of authentication includes biometrics such as fingerprint or face scans.
These multiple factors can be strengthened, however, with additional controls. Passwords should be long (15+ characters), unique, and difficult to guess. Multifactor notifications should go only to devices that have been previously verified and enrolled. Modern identity providers such as Microsoft Azure™ and Microsoft 365™ provide controls that go even further to prevent impossible travel and block attempts from unexpected locations. All these features should be used in conjunction to provide assurance that users truly are who they say they are.
2. Know your assets – and manage them
Can your organization account for every machine on its network right now? Security teams can’t manage and patch what they don’t know exists, so asset management is the critical foundation of patch management. New vulnerabilities come out almost daily – including Log4Shell, PrintNightmare, HAFNIUM, and others with less creative names such as “CVE-2021-42278/CVE-2021-42287.” Because bad actors incorporate these exploits as soon as they’re public, patch management is the answer for staying abreast of threats like ransomware. Knowing the endpoints and keeping them patched is a must.
Data is any organization’s most valuable asset, and organizations should ask probing questions such as, “Is there an understanding of every place data is stored?” and “How does data flow through the environment?” Knowing where the data lives is critical to figuring out how that data is being protected and whether sufficient controls are in place to restrict access to only those who absolutely require access. Data flow mapping can be a valuable tool to build that understanding and to identify where controls need to be implemented.
Another often overlooked asset is software – both the commercial solutions and the code security teams might be writing. Users should be restricted to only running the exact software they need, and IT teams should have visibility into all the applications running in the environment. For those performing in-house development, supply chain attacks apply to software too, so understanding which dependencies are being used in the organization’s code is a must before knowing whether the code being published has vulnerabilities rooted in those dependencies (like Log4J).
3. Invest in training
In the cybersecurity value stream of people, processes, and technologies, people are sometimes left out of cybersecurity strategy. When it comes to software and hardware, some cynics view people as “wetware,” implying that they are a liability. Smart organizations see their people as cybersecurity assets and invest in training to help them better anticipate, recognize, and act on perceived threats.
Beyond the average user, IT and IS teams are not all-knowing (although they might never admit that). Cybersecurity changes daily, so keeping up with it is a full-time job. Earmarking resources for specialized training for internal IT and IS teams to deepen their knowledge empowers them to better prepare an organization to respond to threats.
4. Lock down the cloud
No cybersecurity strategy is complete without mention of the cloud. Organizations have been flocking to major cloud providers for more than a decade. However, many have not done so with the same level of security scrutiny they’d have for on-premises systems. The reality is that in the attempt to move quickly with the focus on availability, access permissions often are sorely neglected, allowing users far too much access and too many privileges in cloud environments. These cloud assets can benefit from the implementation of cloud-specific security controls and comprehensive access management programs that follow the principle of least privilege and remove excessive permissions.
Even if organizations have a comprehensive strategy to operate in the cloud, their users might operate on their own. Many organizations suffer from overzealous users who function as “shadow IT” and put sensitive data in the cloud where it’s outside the bounds of organizational data management controls. These organizations can benefit from a cloud access security broker solution to audit and manage all the disparate cloud services that might be in use to rein them in.
Lastly, even when organizations want to implement good cloud security practices, the industry is in the midst of a subject matter expert shortage. Pushing management of cloud services onto IT teams that might already find themselves overburdened and without the requisite expertise is a mistake that can lead to huge security holes. Securing the right personnel is paramount in doing things right the first time and avoiding those gaps.
Get proactive with a solid cybersecurity strategy
As plans for the coming year come together, this four-part cybersecurity strategy can help narrow the focus of security teams’ efforts and support organizations as they build a stronger cybersecurity posture in preparation for whatever threats lie ahead.