When you think about your security programs, or as you build out a security program, do you think of security as the final goal?
At Core BTS, we encourage organizations to think of security as a holistic process that permeates everything you do.
In this blog, we will debunk the myth that “Security is the Final Goal” and talk about three claims that we often hear to justify such a stance. They are:
- Compliance is the desired end-state
- Security training only applies to IT staff
- Annual assessments provide adequate visibility and increase security
Let’s look at those claims one by one.
Claim #1: Compliance is a Desired End-State
While some organizations may think of compliance as the desired end-state, it’s really the bare minimum for security maturity. Regulatory compliance, contractual compliance, and various frameworks and guidelines are a beginning – not a holistic approach. You need to become compliant, but it should be the foundation for building your security program – not the end-state.
Compliance is Narrow Focused
One reason to look beyond compliance in building your security program is that any regulation focuses on a specific range of industries, risks, or threats. A compliance framework like PCI (Payment Card Industry) for credit card data doesn’t offer regulations on health care like HIPAA (Health Insurance Portability and Accountability) does, and HIPAA doesn’t care about credit card data. Each compliance regulation focuses on a very narrow security niche, and that’s not a holistic approach that will bring the best value to your organization.
Regulations Don’t Secure Your Unique Data
Guidelines, frameworks, and regulations provide the starting point for building a security program, but they don’t secure your data. They also don’t secure your customers’ data or your processes. They exist to provide guardrails. Each organization should implement compliance guidelines not just to the letter of the requirement, but also take ownership of that regulation. Depending on your unique industry or organizational circumstances, just following the letter of the law may not be enough to have a truly solid security framework.
Compliant Doesn’t Equal Secure
It’s been a long time since there wasn’t some type of security event in the news. That news could be things like new critical vulnerabilities or catastrophic cyber incidents. Cybersecurity incidents can affect organizations from municipal governments to state organizations, Fortune 500 companies, and even down to your mom-and-pop shop around the corner. No one is immune.
A curious detail you will often see in the press releases of these incidents is that those organizations were often compliant. They were following the relevant regulations or frameworks. This shows that compliance itself won’t prevent an incident. And it’s certainly not going to prevent an organization from having a catastrophic incident.
The Value of Compliance to Your Overall Security Program
To be clear, compliance isn’t bad. It’s specific to certain types of data and business problems. Compliance is designed to address specific business risks, but you should be thinking bigger on securing your environment. For example, if your business is in manufacturing, but you’re also taking credit cards, PCI will help you protect your credit card data. But what about your formulas, vendor lists, customer lists, continuous improvement processes, and all those things that the business really cares about? Those aren’t covered by straight compliance.
Ultimately, compliance alone does not provide holistic security against an incident. You also need to bring people, processes, and technology to the table to note the specific compliance requirements you have and expand them into a full security program.
Claim #2: Security Training Only Applies to IT Staff
The myth is that security training only applies to IT staff, but the reality is that users are your first line of defense. Everyone has responsibility for securing your environment. Users are an environment vulnerability that you can’t fully patch. That may sound like a joke, but it’s reality. (Attend our Cybersecurity Mythbusters webinar series)
You need to continuously educate your users so that security is always in the back of their mind. That could include physical security (like walking into a facility and not letting people tailgate) or digital (looking at emails and saying, “This looks suspicious; I’m not sure if I should click this link.”).
Security is Everyone’s Responsibility
Security is everyone’s responsibility. Security has to be larger than just IT. Everyone in the organization has access to critical data and other information that needs to be secured to address business risks. Most incidents we see start with general organizational users.
Phishing is an issue we constantly see. A regular user gets a phishing link, clicks on it, and either gives up credentials or installs malware on their system that gives the attacker a foothold in the environment. There are thousands of emails coming every day, including from people trying to get into your organization. IT can’t police all of that. Everyone must be educated on security and take responsibility for it.
Cyber hygiene applies to more than just phishing. Users must keep clean desks and not leave payroll information laying around in unlocked offices. They can’t let someone follow them into the organization’s facility or allow someone into the data center. They generally shouldn’t be logging into Microsoft 365 applications from their unsecured home computers and downloading sensitive business information. Security training must cover not just phishing, but also physical security, how you handle data, and what you do with data.
When Core BTS is hired to do penetration testing, our testers love to be friendly with folks and then just be let into the facilities. From there, they can plug in a device and access the internal network. They don’t have to defeat your firewall. They don’t have to defeat your expensive perimeter security devices. Security awareness training needs to be holistic and cover not just phishing, but also physical security, how you handle data, and what you do with data.
Security Tools Have Limitations
Educate users because your security tools can’t stop everything. There is no perfect email filter that can 100 percent of the time tell a valid business email from phishing or spam. There’s no physical security tool to stop tailgating or to prevent someone from printing out all payroll information and leaving it out in a conference room. There are many different risks that aren’t addressed by security tools.
To address these risks effectively, you can’t just give someone the handbook that has your policy and say, “Yes, they’re trained!”. You can’t just run phishing tests. Instead, you want to constantly adjust your training to meet the most current threats. That includes updating users on what you are seeing on the security side and what those attacks look like. Staying ahead of those issues and keeping users updated is the best way to have them keep that security mindset.
Most cybersecurity training right now focuses on two things:
- Policy and procedure training as part of new hire onboarding
- Anti-phishing and general anti-social-engineering measures
These are both good focuses, but they are just a piece of the picture. A security incident could also be:
- A phone call or text message versus a phishing email
- Somebody throwing things away that should be shredded, and a threat actor dumpster-diving and using that information to get into the system
- A user having the same password for personal and business information which then gets breached
Password Management and Security
That last point on password management and password security is happening more often and is generally not covered in your phishing simulations and training. If your users are using the same password for organizationally related platforms as they use for their personal platforms (social media, email, bank accounts, etc.) and they lose their credentials or they get compromised, then it is a short step for the adversary to use that to get into your organization. And, unfortunately, none of your security tools will be able to detect if an individual’s personal bank account credentials were stolen.
What to Include in Security Training
In training, it’s good to cover not just technical aspects of things like phishing emails, but also procedural aspects including:
- Properly shredding paper
- Keeping a clean desk
- Locking doors
- Managing guest and employee access, and keeping out others
Users are your first line of defense. They are the one interacting with your data, your customers, and others in your organization. Everyone needs to be aligned from a security perspective. Security training needs to happen for everyone, not just IT.
Claim #3: Annual Assessments Provide Adequate Visibility and Increase Security
Some leaders may believe that annual assessments provide adequate visibility to risk, but the reality is that security is continuous. When you think about the adversaries out there, they’re active 24/7/365 to gain insight and access to environments and organizations like yours. This means that annual assessments can never provide adequate day-to-day visibility. Just like the attacks are nonstop, defense also needs to be nonstop.
Defense Needs to Be Nonstop
When you unpack the term “Defense” there’s a lot to it. There’s monitoring and understanding what’s happening in your environment so you can detect when something goes wrong. But there’s also active management of your security process to ensure that:
- Systems are up to date
- Tools are up to date and are working
- The appropriate technical controls are in place and none are failing
- Your users are educated on common risks and thinking about security
Defense must be continuous.
Weaknesses of the Annual Assessment
In contrast, when you think about an annual assessment, what you get is a point-in-time view of your security process. Those are excellent when you’re talking about building a roadmap to improve your security or if you’re identifying gaps in your security process. However, an annual review can’t provide increased security on a regular basis.
Also, because annual reviews are only a single point in time, they don’t capture your current state. The reality is that your organization and IT change more than once a year. Cybersecurity, security threats, and risks change at breakneck speed. One day after that point-in-time assessment you’re already looking at old information. In 300 days, that data is significantly outdated compared to where you are as an organization – or the industry in general.
Some things secure one day will not be secure tomorrow. Vulnerabilities are a good example of this. You can be fully up-to-date, patched, and secure today with all your controls in place. And tomorrow a vulnerability can be found in that platform or system application that puts you at grave risk.
Organizational Security Needs to Evolve as Risks Develop
Technology, compliance, and adversaries are constantly evolving, so your security must evolve and change as well. An example that drives this point home was all of 2020. Think of an organization (maybe yours) that had an annual assessment in January 2020 and used it to build a one-year roadmap for environmental security. Then by March 2020 all your users were remote. Most of the plans you had probably flew out the door. The Core Security team saw many organizations that went to work-from-home and had to spend a lot of money on brand new technology. Some couldn’t get laptops and had to allow bring-your-own-device policies so employees could keep working. All these variables introduced new security risks.
This is obviously an extreme example. If you did a risk assessment in January 2020 or November 2019, you probably looked at “pandemic” as a risk to the business and thought it would have an extremely high impact but very unlikely to occur. As an organization, maybe you accepted that risk. But then sometimes the unlikely occurs, and you must be ready to evolve rapidly. Companies that were most successful when it came to security in 2020 were able to quickly change their posture and the controls they had in place for users.
The Solution: Build a Holistic Security Program – Not a Fixed Security Goal
What’s the solution? Create a holistic security approach. You’re not either secure or insecure: security is a process. It’s constantly reevaluating your risk and looking at new threats and vulnerabilities. We recommend this holistic approach. When we talk about security, we start with a standard framework. There are many frameworks that are equally good for this step. They have similar controls, like:
- Patch your systems
- Create backups
- Give users the least amount of privilege possible
- Have policies
- …and so on
When the NIST (National Institute of Standards and Technology) cybersecurity framework came out in 2014, we thought it was a good framework to help you identify security risks in environments and help communicate them to upper management and non-technical folks. Part of security is internal selling. You need resources and budget to get things done right. When you talk to non-technical folks, many will think security is protecting the environment. Recently, they may also think about detecting attacks. The business probably doesn’t think of IT security in terms of:
- Identifying risks
- Identifying where your data is
- Knowing what systems are on your network
- Tracking third parties receiving your data
But all this risk management is critical. You need to:
- Assess and secure your data – So you know what you are protecting
- Monitor and manage it day-to-day – So you can quickly detect breaches and issues
- Prepare and respond to threats and incidents – So you can act quickly and minimize the damage to your organization
We believe strongly enough in this holistic security approach that we have developed a holistic security offering called Secure by Design to help organizations see beyond security as a final goal and help them adapt to the changing risk landscape.
For more security expertise by these authors, watch their latest webinars on-demand here.