19th February 2016

Cybersecurity Basics Could be Your Weakest Link

Written by Michael Lucas, CISSP, Senior Manager at Crowe Horwath LLP

There were a record number of breaches globally and in the UK in 2015, many of which involved highly skilled attackers leveraging sophisticated techniques. While the hackers of the world are becoming more advanced, so are the cybersecurity programs and technologies we employ to combat the threats. However, it has never been more important to remember the basics. While the security controls and safeguards that were being broadly adopted 10 years ago are now considered security basics, they are still being overlooked or not implemented with appropriate rigor.

The shiniest tools and technology – from data loss prevention software to network access control solutions to web application firewalls – rely on a strong IT security foundation to be in place. If the fundamentals of that foundation are not strong, these “fancy” new security tools cannot completely prevent breaches or security incidents.

The top three areas in which we see issues in banks of nearly any makeup and size are: passwords, patches and permissions.

  • Passwords should be eight characters or more, complex, and changed regularly. The schedule to change passwords should be based on complexity and the risk environment of the organisation. Consider multi-factor or adaptive authentication for high risk systems.
  • Tip: There are plug-ins for the Microsoft® Active Directory® interface to verify whether passwords that meet your policy are secure. A password such as “Password1” may meet your complexity requirements, but is not secure because it is easy to guess.
  • Trick: Make and enforce the policy throughout the whole organisation. For example, don’t forget about third-party hosted applications, applications not integrated into Active Directory, and other systems such as firewalls, routers, and local accounts on servers. These ancillary systems can often be the weak link.
  • Patches are not very exciting but are needed to secure systems. Evaluate your organisation’s patch management process to confirm if workstations and servers – as well as applications, network devices, and legacy systems – are being patched effectively. Determine if there are mobile devices that need patching, too. Assess the patches needed and the resources available to do it, then rework the programme based on scope, resources, and controls. Take control of the situation by writing and implementing a policy that will work.
  • Permissions are a bigger burden than patches and generally are not controlled centrally. Permissions are applied via Active Directory for some applications, network drives, and shared folders – but what about websites? How does your organisation control permissions to access Internet-based services? Does everyone in the organisation, even IT, have the same permissions?
  • Tip: Push as much as possible of the workload of applying permissions to each business line, and then use IT resources to review all non-business-line-specific technologies.
  • Trick: Implement one set of changes to a subset of employees at a time so that you can fine-tune and tweak the process instead of shutting off access to certain services for the entire organisation at the same time. Anticipate the impact the permission implementation will have on your help desk.

So as 2016 unfolds, let’s not shrug our shoulders at the mundane and tedious tasks that constitute security basics; instead, take them on. Passwords, patches, and permissions may be boring as well as challenging to tackle, but doing so will improve the cybersecurity posture of your organisation. And, if you are one of the lucky ones with a budget to buy one of those shiny, new tools in 2016, attending to security basics will make its implementation that much easier.

Please register or login to add this to your interests.