Issue Eleven
February 2022
On January 26, 2022, the Executive Office of The President issued Memorandum M-22-09 which details the criticality of our federal agencies moving towards a zero-trust architecture (ZTA). This is a very important progression in strategy, as it indicates an understanding that the Federal Government can no longer depend on conventional, perimeter-based defenses to protect critical systems and data.
The Biden administration has placed a significant emphasis on the importance of cybersecurity, and it's something we should all be paying close attention to. There are plenty of lessons to be learned and practices we can adopt in the private sector, today, that will better prepare us for what’s to come in the future.
As we look towards continual improvements in our overall digital protection strategies, we must not lose sight of the essential cyber hygiene practices that are the foundation of everything we’ve accomplished thus far – and an area of continuous improvement.
Our social responsibility extends to not only protect our own organizations, but to protect our entire community of organizations that empower us to do valuable work. This will require a re-evaluation of our current processes and strategies and likely a reorganization of priorities to improve organizational resilience that extends into our own unique supply chains.
We must begin to understand that cybersecurity is not merely a strategy to protect the business, but also a powerful enabler through which to realize new operational efficiencies, to surpass revenue goals, and to facilitate uninterrupted digital transformation efforts.
“The five most efficient cyber defenders are: Anticipation, Education, Reaction, and Resilience. Do remember: Cybersecurity is much more than an IT topic.” – Stephane Rappo
Issue Eleven explores some of the major tenants of digital protection and why our focus and attention should be placed on these concepts. Enjoy.
ZEROING IN
Implementing Zero Trust? Prioritize people as much as tech
Zero Trust has become one of the most misused and abused terms in the industry. It has been attached to nearly every cybersecurity product on the market, as if it’s a feature built into the code after the fact.
In reality, Zero Trust refers to a set of principles that require people, processes, and technology to work together to create an environment in which users, devices, and identities are authenticated to ensure access to data is limited to only those granted privilege.
“For a Zero Trust model to be effective, as much importance needs to be placed on the behavioral and cultural elements as the technology changes. Human error is by far the greatest risk to an organization, so all stakeholders need to wholeheartedly buy into the model for it to be effective.”
It requires continuous evaluation of user identity, behavior, and device health to establish a trust hierarchy that determines whether access to applications and data will be granted. The more sensitive and critical the data, the stricter the granting of access becomes.
“Rather than viewing cybersecurity as just an obligatory training program, employees can be empowered by their role and responsibilities in the Zero Trust process. By understanding that Zero Trust is not based on distrusting individuals but rather requiring them to play a greater part in preventing cybersecurity incidents, employees will become more engaged and play their part in preventing cyber-attacks.”
Implementing strong cybersecurity hygiene standards
“The purpose of cyber hygiene is primarily to protect an organization's data. However, once in place, many organizations will find that it goes further than just protecting the organization. Those who implement strong cyber hygiene will see that it will also drive improvements and efficiencies across their organization’s entire technology landscape.”
The core building blocks of cyber hygiene are knowing your estate and understanding your identities to ensure you have the proper security controls applied across your entire environment.
Effective approaches include:
Defining secure standards for the platforms you leverage such as Linux, Windows, Network Storage, and more. These standards should be reviewed regularly and should include vulnerability management to illuminate areas of risk in existing platforms and software, as well as potential additions to your environment. This ensures vulnerabilities are exposed prior to being deployed.
Securing endpoints with controls such as malware protections, encryption, least privilege, and security event logging. The endpoints should be actively monitored for vulnerabilities such as broken agents, devices not running the latest updates, incorrect configurations, or not having full visibility into your endpoint environment.
Standardizing authentication and authorization across the network with MFA (Multi-Factor Authentication). Ensure authorization to shared resources and sensitive data is provided to only those that absolutely require access.
These standards don’t start and stop with the cybersecurity team. They should be embedded throughout the culture of the entire organization.
Mimecast: Cyber threats slow digital transformation
Digital transformation undoubtedly improves organizational agility, flexibility and improved collaboration between teams; however, it also adds the complexities of an expanded attack surface.
This expansion introduces increased risk across operationally vital departments such as HR, IT, and finance – putting a strain on organizations to protect these transformative investments.
Those that struggle remain in a reactive posture when it comes to security, preventing them from taking the proactive measures necessary to address their constantly evolving threat profile.
To overcome these challenges, decision-makers are leaning on cyber awareness training, best-of-breed security solutions, and automation to provide much needed relief.
By automating critical tasks such as vulnerability remediation and patching, the organization can reposition focus in other areas to provide the support necessary to keep the ball moving forward.
“This automation drive is expected to free up 40.9 hours per month of entry-level security specialists and up to 38.9 hours at CISO level, creating valuable capacity for IT teams to work on more high-value activities across the business.”
Cyber Resilience in the Supply Chain – Solving for the Next Global Crisis
“Cybersecurity comes down to visibility and control. Although production flows down a supply chain, risk management needs to flow up the supply chain. This means that every link in a supply chain needs to hold its suppliers accountable.”
Protecting the supply chain is complex, but there are some basic principles we can all practice to better manage risk:
Map the supply chain to not only maintain visibility of your suppliers, but of the supplier of their suppliers. You must have a complete picture of your cyber dependencies in order to mitigate risks and vulnerabilities within your operations.
Prioritize cyber risk by rating the criticality of the components, connections and suppliers that impact the supply chain.
Write cybersecurity into contracts to validate good cyber hygiene, promote collaboration before and after a potential incident and spell out cyber responsibilities.
Take a good look at connections to suppliers to ensure management of legacy or unmonitored connections, which can have open or shared access. These are prime avenues for cyber attackers to access networks.
“…an attack through the supply chain is like replacing a relay race baton with a stick of dynamite and allowing cyber risk to be passed on from one company to another.”
It all comes down to visibility and control. The clearer picture you have of your supply chain dependencies, the easier it is to apply the proper controls to ensure its resilience.
