Stay on top of account management and assess staff security skills with CIS Controls 16 and 17
You can have the most secure system in the world, but hackers will always seek out the path of least resistance. When your defenses are good, the weak link is often your employees. Data breaches are most likely to be the result of employee error or an inside job, according to the ACC Foundation: State of Cybersecurity Report.
It’s good to focus on firewalls, malware defenses and data protection, but too often employees are an afterthought.
To help you with that, we’re going to look at Critical Security Controls 16 and 17, covering account management and security skills assessment and training. The Critical Security Controls are best practices devised by the Center for Internet Security (CIS) and designed to help the public and private sectors tighten up cybersecurity.
Critical Control 16: Account Monitoring and Control
Inactive user accounts are ripe for exploitation by attackers. By using legitimate, but inactive accounts, they can easily impersonate legitimate users and mask their nefarious activity.
There’s also serious potential risk involved when accounts associated with former employees or temporary contractors are not deleted when employment ends. They may be left with unauthorized access to sensitive data, which is especially dangerous if the split wasn’t amicable. Some unscrupulous former employees may see an opportunity to profit.
There are a few simple rules you can put in place to ensure inactive accounts aren’t a potential route in for attackers or a potential route out for sensitive data.
- Account access should be revoked immediately when an employee or contractor is terminated or leaves for any reason. You may prefer to disable access rather than delete accounts.
- Accounts should be monitored and flagged if they don’t have an associated business process and owner.
- Automatically log off users after a period of inactivity and use screen locks to guard against access via unattended computers.
- Be vigilant for failed log-ins and attempts to access deactivated accounts.
- Profile user behavior so that log-ins at odd times of the day or night, or log-ins from new devices, are flagged.
You’ll also want to enforce multi-factor authentication wherever possible, ensure that passwords and usernames are fully encrypted, and configure and authenticate centrally.
Careful account monitoring is especially important at large organizations where breaches are more than twice as likely, according to that same ACC Foundation report.
Critical Control 17: Security Skills Assessment and Appropriate Training to Fill Gaps
It’s easy to focus in on the technology you need to employ to bolster your cybersecurity defenses and forget that people can neatly sidestep all your efforts by taking the wrong action. Perhaps your IT staffers aren’t quick enough to patch or review logs, maybe your security policies are not enforced in any meaningful way, or your employees don’t know better than to click on a malicious link in a phishing email.
Attackers will go to great lengths to exploit any weaknesses or gaps here, and in many cases they can persuade people to effectively lower the defenses and let them in.
The first thing to do here is to perform gap analysis and find where employees lack the skills required to implement your cybersecurity plans and policies. You have to know where they are going wrong before you can hope to fix it.
Provide relevant training via senior staff with the right skills, outside experts, or even conferences and online courses. Make learning modules bite-sized and easy to understand. They must be updated to reflect the latest threats, and employees should complete them every few months. No one should be immune from this. Senior management may be resistant, but they actually pose the greatest risk if a phishing attack is successful, so they should complete the same training.
It’s all well and good to run training courses, but you have to test their effectiveness before you can rest easy.
As a case in point, JPMorgan boosted its cybersecurity spending after a data theft, but when it tested staff with a fake phishing email a few weeks later, 20 percent of them clicked on it. Had it been real, that action would have downloaded a malicious payload onto the bank’s network.
If you don’t spend resources on awareness for employees and specific training where necessary, you can undo all your good efforts to improve your cybersecurity.