Three essential practices for security compliance

Posted in: Business Insights

No IT or business person needs to be told twice that a major security breach can have a devastating impact on a business. Yet enterprises routinely find themselves non-compliant with security best practices and even their own policies.

Why? First, there’s a lot of complexity to manage. And second, with IT teams constantly putting out fires, background functions like security tend to get shortchanged.

That said, there are a few simple things you can do to strengthen how you protect your data and your business.

1. Stay patched and monitor for unauthorized changes

You really aren’t safe without up-to date security patches for your vulnerable systems — which means most of them. Any software that faces out or touches the Internet is definitely at risk. But internal personnel can pose threats, as well , meaning even “inside” systems can be vulnerable.

The problem with patching is scale. If you’re a bank with 300 branches across the country, all with their own IT systems, you don’t have the time or the people to manually patch every system in a centralized, whole-enterprise way. Automation is essential: a mechanism for pushing patches out across all your departments and locations — and verifying successful installation.

Patching is essential, but it’s not enough. If you’re breached, the intruders will try to downgrade or otherwise weaken your defenses. So you need an automated auditing platform that: a) looks for unauthorized changes that could weaken your software systems; and b) reverts compromised systems back to the authorized version of software.

2: Only allow access that’s strictly necessary

Mindset is a big part of security. When it comes to controlling access to system resources, data and applications, your default should be that no one has access to anything. “Permissions” then become very deliberate enablement of specific apps and services to specific users based on specific needs. People should only ever have access to the data and systems they need to do their immediate jobs.

Access rights should be linked to your provisioning systems so that when a person changes jobs or leaves your company, their old rights are immediately removed.

In general, security should match risk to systems, with levels of increasing verification when an employee’s behavior is unusual. For example, if someone has never logged in from a particular location but appears to be doing so now, serve them up an additional verifying question. If they’ve never logged into a system before, get them to verify their location and identity.

Users should also be prompted to confirm or deny unusual behaviour. Did you just log in from a new computer? Did you just change your password? These kinds of security health checks are being integrated into applications, periodically forcing users to review their settings and ensure their identity and security information is up to date.

What happens when you don’t have stringent rules like these? Weakly enforced access rules were at the root of a recent, headline-grabbing security breach at a major U.S. retailer. The intruders had access to one hacked device, but by exploiting weak permissions were able to access many other devices — and make off with 40 million credit card numbers.

3: Assume you’ve been hacked.

It’s easy to have a defensive mindset about security: “We’ll stop the bad guys from getting in.” But the reality is they may already be in. The strongest security position comes from assuming you’ve already been hacked. Keep a vigilant watch for evidence of it.

This starts by imposing tight controls on systems that are key to your business operations. Audit all planned changes daily, recording these with approvals in a change log accessible only through off-site logging not connected to systems. If an intruder makes changes, the change log will be your first line of defense — it will be impossible for the hacker to cover their tracks because you will have a forensic change record in a protected location.

Security needs to be a priority in every area of your business. Business units should test the security of their operational practices as part of quarterly business continuity planning. You should regularly test your company-wide systems internally to identify vulnerabilities, and consider hiring professional security experts to attack or socially engineer access to your systems. When it comes to enterprise security, offence really is the best defense.

email

About the Author

As Chief Information Officer (CIO) at Pythian, Myles leads our Enterprise Security business. He is also responsible for all of Pythian’s corporate and customer facing systems, as well as the tools that support the delivery of our services, and security. Myles’ career has offered him the opportunity to serve in a number of senior leadership positions, including Chief Information Technology Officer of FreshDirect and Chief Information Office at Register.com. Prior to Pythian, Myles served as SVP and Chief Information Officer for TravelClick, where he revitalized their technology services and expanded their business with new business intelligence, web, and reservation products. Passionate about innovation and the deep, dark world of enterprise security, Myles is a member of the New York Electronic Crimes Task Force (NYECTF).

No comments

Leave a Reply

Your email address will not be published. Required fields are marked *