Cadre Information Security

Alleviating cybersecurity risks comes in many shapes and sizes—and so do organizations. Large enterprises with deep pockets and full-fledged SOC teams adopt the latest technologies and processes to fight back against adversaries. But for mid-size organizations, reducing risk is often constrained to a pick-and-choose approach. With limited funds, headcount, and internal knowledge, those responsible for keeping data secure are left wrangling the tough decisions of what matters most.

Here at Cadre, we firmly believe that there is no “one size fits all” approach. We’ve had decades of experience with a variety of companies—some probably resembling yours. But even still, there isn’t a carbon copy of a security prescription to dole out. However, that doesn’t mean there aren’t best practices that everyone can follow to avoid common mistakes. And that’s the guidance you’re here for after all, so let’s jump in:

1. Don’t discount your value. Many mid-size organizations think that just because they are smaller, they aren’t a target. On the contrary, adversaries often perceive smaller companies as easy targets—and without the proper protections, they can linger undetected for lengthy periods of time.
2. Know where your security gaps are. We all get caught up in the day-to-day work. Especially when there’s new malware at every turn. But it’s critical to carve out time to analyze security risks as the business and world changes.
3. Establish a baseline. If you don’t know what is “normal,” how will you know what activity is “abnormal” on your network and devices? Businesses should have some form of monitoring and logging in place to flag any activity or incident that should be investigated.
4. Inventory your assets, and do it regularly. People and devices come and go. Be sure to complete quarterly asset inventory assessments so you know who and what is connected to your network.
5. Train users on security more often. There is never enough security training. Even the most vigilant users fall for phishing attempts. By creating more training opportunities, companies can move towards a culture of security where users understand strong cybersecurity isn’t only important for the company, but for them personally, too.
6. Evaluate supply chain threats. If recent high-profile breaches have taught us anything, it’s that the supply chain is more vulnerable than ever. We will begin to see it being regulated more, which can impact business function and revenue.
7. Put a business continuity plan into place. The old saying goes, “it’s not a matter of if you will be breached, but when.” Be sure your organization has continuity plans in place covering impacts from basic cybersecurity to core business functions for everything from targeted disruptions to a worst-case scenario.
8. Segment your network. What’s worse than a malicious actor that gets into your network? One that can move freely within it. To prevent this, be sure to segment your network.
9. Patch. Need we say more? Okay yes, patch in a timely manner and in a deliberate fashion. Audit your patching.
10. Accept help. Cybersecurity changes every day. Keeping up with vendors and their technologies, sifting through acronyms, and steadying a finger on the pulse of your company’s security is often an impossible task. Be sure you have a lifeline when something goes wrong or you need an outside perspective from a trusted source.

Of course, this list isn’t comprehensive, but it’s a good place to start. Even if you’re heard many of these best practices before, it can be a gentle reminder that some need renewed attention.

Still struggling with these 10? Need more help getting your cybersecurity in order? Read our blog, 10 Reasons a vCISO May be a Good Choice for Your Company.

SOCHE Announces Virtual Sessions with Employers on Careers in Information Technology

Purpose: To expose High School teachers and Career Guidance Champions to the different career opportunities in Information Technology to better direct students in career paths

When: Tuesdays from 3 PM - 4 PM (19 Oct - 7 Dec 2021)

How: Live 1-hour virtual sessions that will be recorded to share across all schools in Ohio for greater impact

Audience:  High school teachers, career champions,  guidance counselors

Presenter: Employers who have experts in the listed topics >> This could be you!!

Format: 25-minute information session on each topic below (e.g. Computer Programmer) given by Presenter with 5-minute Q&A. Suggested talking points for the presenter are offered below. The presenter can create a PowerPoint presentation or a demo that explains their job.

Presenter Talking Points:

• What is your job and how does it relate to your company’s success?
• What is a typical day like for you?
• How many hours a day do you spend in meetings or working in groups?
• Do you mainly sit at a desk doing work individually or do you have an opportunity to work in different environments?
• Are you expected to be oncall? If yes, how often?
• What education or other experience helped you to get your current job?
• When hiring a new employee in your department, what education does a candidate need?
• What skill do you most value in hiring a new employee?
• What advice would you give a student considering a career in your field?

Contact Information: Please email your timeslot preferences >> Patty Buddelmeyer (patty.buddelmeyer@soche.org)

Nina Wyatt, Senior Technical Consultant, AHEAD

Managing vendor risk has become a challenging standard practice for most organizations today. With the adoption of cloud technologies and globalization of technology service providers, more companies are working to evaluate the security programs of vendors and service providers as well as gain visibility of vendor risk overall. Whether you are tasked with evaluating a vendor’s security program or responsible for maintaining visibility of enterprise vendor risk, both functions present challenges and barriers. Among these challenges, one of the most difficult for organizations to navigate is completing security questionnaires for partners or clients dependent upon their services, as no single industry or company has adopted a widely used standard for the process. This results in teams receiving lengthy questionnaires that all differ in volume and complexity. 

Another key challenge arrives for companies needing to establish a process for maintaining holistic, enterprise-level visibility of vendor risk. The present reality is that most companies find themselves burdened by both of these processes. Below, we’ll explore actionable steps to reduce the difficulty of managing vendor security and risk questionnaires, and steps to enhance the security of your organization through establishing a vendor due diligence review process. 

Simplifying Security Questionnaire Response

Multiple solutions exist to mitigate the challenge of performing vendor security assessments, but very few address the burden of completing security questionnaires. However, you can greatly reduce this burden by doing the following:  

Create a Repeatable Process

• Gather all information about the controls in your environment and provide the same questionnaire to all requestors 
• Eliminate questions not applicable to your business, operations, and environment 
• Keep answers short and simple 
• Create an encrypted, password protected, and centralized repository that includes public-facing/redacted policy/program documents, attestations, security compliance overview presentations, and a single version of your questionnaire 
• Recognize that offering too much information, screen shots, or tool-specific responses can exacerbate the problem 
• Ensure that all questions offer consistent responses whenever possible 

Recognize That Certification Attestation Can Validate Strength of Control Environment 

• Understand how certification (SOC2, ISO, NIST) can help – many topics covered in questionnaires are also covered in the control attestation process 

Recognize Liability Associated with Security Questionnaires

• Acknowledge that security questionnaires can be traced to liability risk, which may be inevitable for some organizations 
  • Upon completing the questionnaire, any future incident may prove a question was answered incorrectly, and organizations can be held liable for negligence or misrepresentation of the “secure” environment 
  • When evaluating the security of another organization, any future incident may prove a questionnaire and risk assessment process to be inadequate, and companies can be held liable for failing to perform an appropriate level of due diligence in vendor selection or monitoring 

This process requires both time and resources, which also introduces liability. If it becomes merely another ‘box’ to ‘check,’ consider revising the process to produce actionable and desired outcomes that enhance the visibility of vendor risk. For example, instead of asking for a policy about vulnerability management, ask for validation that no critical vulnerabilities exist in the environment. Not all vendors will be willing to share this information; however, a documented policy is not equal to control validation – and control validation is the only reliable source of security control assurance. 

Proactively Avoid Missed Business Opportunities

• If gaps are identified in your responses, include a remediation plan with a target date for completion (to prevent voiding potential business opportunities) 
• At minimum, this will show that your assessment processes are functioning and that there is already a plan in place to address self-identified control gaps 

Achieving Holistic Vendor Risk Visibility

If you are struggling to understand your organization’s vendor risk holistically, there are many solutions that can help. As with any great automation capability, process is paramount. Consider the following recommendations to raise your organization’s awareness of vendor risk: 

Establish a Policy or Standard

Begin with a policy or standard for evaluating vendors based upon your organization’s expectations (or regulatory requirements). The policy or standard should be framed by risk exposure and include: 

• What conditions or criteria determine the level of risk associated with a service provider 
• Which reviews are performed relative to the level of risk associated with each service provider 
• How frequently risk will be assessed (e.g., if a vendor is high-risk, consider performing annual reviews; if a vendor is low-risk, consider performing bi-annual reviews) 

It is vital to ensure that you can identify when conditions or characteristics of a service engagement change, as this may translate to a change in risk and require a change in policy (type of review, frequency of review, etc.). Without a mechanism to determine when and how the scope of an engagement has changed, the risk of falling out of compliance with the established policy or standard is heightened. 

Categorize Vendors by Risk

What conditions or characteristics need to be understood to categorize vendors by level of risk? As usual, it depends! 

If your organization has an appropriately structured Enterprise Risk Program, it is likely that these conditions and characteristics are already outlined in what is typically referred to as a risk tolerance or risk threshold statement within your risk management framework or risk assessment methodology.  

On the other hand, if your organization does not have a well-defined Enterprise Risk Program, you may not have achieved a level of growth that warrants one (yet). The good news is that you can inspire risk reduction specific to IT security by establishing a risk assessment methodology that centers around information security risk (availability, confidentiality, integrity). For an information security-centric approach, consider the following: 

AVAILABILITY RISK

CONFIDENTIALITY/INTEGRITY RISK

The process used to evaluate a low-risk service provider should not be equal to that of a high-risk service provider. If you opt to take a broad-brush approach, your department may be unnecessarily expending resources to perform risk assessments that extend little value to your organization. 

Establish a Consistent, Risk-Based Approach

Depending on your answers to the two questions posed above, you’ll need to determine how extensive of a review is warranted. The table below can be used as a guide when establishing a risk-based approach to perform vendor risk assessments.  

It is worth noting that ‘Limited,’ in this context, does not mean ‘less’ review. Rather, it means asking tailored questions directly associated to criticality and/or sensitivity – whichever applies per engagement. The point here is that if a review process were defined and issued to all vendors regardless of criticality or sensitivity (using the aforementioned ‘broad-brush’ approach), you would spend time requesting, collecting, and reviewing information that offers no real value to the organization.  

For example, if a service provider is not providing a critical service, do you need to see a record of successful recovery testing? Conversely, if a service provider is not storing, processing, or transmitting any sensitive data on behalf of the company, do you need to validate that encryption is used? 

Additional Considerations for the Vendor Risk Review Process

The following considerations may be helpful in defining a review process; all provide opportunities to reduce the burden of effort associated with performing vendor risk assessments: 

1. Include business purpose information, such as source departments, relationship sponsors, relevant technology or applications, and dependent business processes. Identifying these factors early on will make it easier to validate recovery capabilities or necessary data protections. 
2. Include questions that assess how critical a service is to validate that a vendor’s recovery capabilities are sufficient. If it is highly critical to operations, this may serve as justification to perform the review more frequently, or to gather information from process owners to determine if contingency plans exist internally. For example, if the service is non-critical, are business continuity and disaster recovery documents or associated questions necessary when the contract itself stipulates SLA language specific to recovery capabilities? 
3. Identify what data is being stored, processed, or transmitted. If highly sensitive data (such as PCI or HIPAA) is involved, you may want to perform the review more frequently or consider specific data protection controls that must be validated before a service engagement proceeds. 

In all cases, the questionnaire and documents requested should directly correlate to the service provided and actionable outcomes. Beware of defining a broad-brush vendor risk assessment process designed to treat all vendors the same way. Instead, employ a risk-based approach that will enable you to perform reviews quickly and effectively in a manner relevant to the service engagement. Doing so will not only provide your organization with valuable risk insights but minimize the burden of effort on your team and program. 

Monitoring & Measuring Vendor Risk

As the saying goes, “what is measured is improved.” Once your vendor risk review process is established, valuable data points can be gathered to increase the visibility of vendor risk. Here are a few metrics worth consideration: 

Vendors by Risk Categorization – Provide visibility to leadership as to what percentage of vendors are considered high risk. 

Vendor Risk Review by Status – Provide visibility to those managing the process, ensuring reviews are completed in a timely manner. 

Vendors with Authorized Risk Exceptions – Offer visibility of current risk tolerance or an indication that too much risk is accepted. Not all vendors will be able to satisfy your security requirements. In these instances, the risk should be documented and distributed to those authorized to accept risk on behalf of the company.  

Vendors with Known Issues – Elevate vendors with known issues to ensure relationship managers are aware of the issues to assist in tracking remediation efforts. Relationship managers can offer value to a vendor risk program by acting as the liaison to help monitor and close any known issues specific to a vendor’s security program. As risk issues are remediated, risk reduction is measurable and shows a direct benefit of the vendor risk review process. 

Vendor Review Resulting in Benefit – Identify when the vendor risk review process results in benefit to the organization. In some cases, information from a vendor review can strengthen contract language or offer variables that can be powerful in the contract negotiation process. Measuring these benefits can inspire the risk team to ensure that as the vendor review process continuously strengthens over time, the benefits outweigh the effort. 

Conclusion

Having the right level of guidance is paramount for organizations that are struggling to complete vendor security questionnaires or those that need to mature their vendor risk review process. Similar to information security risk, vendor risk is no small effort. In that spirit, it is easy to get overwhelmed and inundated with processes that offer little-to-no value to the organization. As illustrated above, the best vendor risk functions are those that are risk-based, actionable, and value-adding. 

Kathy Vogler, Communications Manager, Expedient Technology Solutions

I’ve lived most of my life in a relatively secure and crime free area.  I’m fortunate that my first real experience with personal property theft didn’t happen until 2010 when a trailer was stolen from our barn area.  This was completely shocking for us, at that time we didn’t lock anything including the house.  We have dogs, we have motion lights, we don’t take risky actions and there is no crime.  Well, those days are sure in the rear-view mirror, aren’t they! Everything seems to be fair game these days. The new normal must fall on the side of zero trust.  This isn’t just important to combat cybercrime, it’s for everything.  Businesses need to take physical security seriously.

“I get hired by companies to hack into their systems and break into their physical facilities to find security holes.”~ Kevin Mitnick, 1995 convicted hacker, owner of Mitnick Security Consulting LLC

Physical security is the protection of people, property and physical assets in a fashion similar to steps used by law enforcement. And while the Achilles heel to security will always be the human factor, security experts agree that the three most important components of a physical security plan are access control, surveillance, and security testing. 

Access Control at a high level is about restricting access to a resource and may even be part of your regulatory compliance requirements.  Physical access control limits access and often uses a proximity card or fob, password, PIN or biometrics to unlock the door. For example, an organization may employ an electronic control system that relies on user credentials, access card readers, intercom, auditing and reporting to track which employees have access to a restricted area. This system may incorporate an access control panel that can restrict entry to individual rooms and buildings, as well as sound alarms, initiate lockdown procedures and prevent unauthorized access.

Access Control has five main components:

Surveillance is most often done by video cameras using a video management system.  The surveillance could start at the outer edge of your perimeter to monitor your facility and parking lots to secure your outdoor areas.  These control systems ensure that you will know who enters your facility and when. Your camera systems serve two purposes; dissuasion when a potential thief knows they will be recorded which may prevent the criminal act and if anything does happen you will have a recording of it.  IP cameras are standard and no longer require specialized equipment to handle them.  A simple computer system connected wirelessly can record.  You may even consider adding night vision. Real time alert offerings can send snap shots or video alerts directly to your phone. 

Security Testing or physical penetration testing to assess the ability of the current physical security controls to prevent penetration by the bad guys and the testing of these systems on a regular cadence to ensure their efficacy.  Many cybersecurity breaches occur when attackers find they can take advantage of one or more physical security flaw.  Flaws are as simple as no one monitoring the video feed or through devices that are easy to disarm or avoid.

Armed guards and strong security policies are useless if the bad guys can infiltrate by verbal deception or piggyback techniques to access your facility.  Effective staff training, procedures and personal controls like visitor records are important.  You test your employees by sending phishing emails to see if they will click, you should also test to see if your staff will allow anyone who says they have a reason to be in your facility access.  In large organizations where people don’t know everyone, it’s as easy as slipping in the door alongside someone who has authenticated.  The goal of the bad guy might be to steal property, harm your employees or plug code into a USB port of an open printer that is attached to your network.  Any action like this can cause serious disruption to your operations, ruin your company’s reputation, or steal intellectual property.

Zero Trust “Never Trust, Always Verify”

If the bad guys enter your front door, you should not automatically give them access to everything inside.  How long can an intruder wander around your facility before they are detected or before anyone questions them?  Will the bad guy find sensitive information laying on desks or on the copier? Are there unlocked screens at workstations, accessible phones or open USB ports? There are hundreds of things a bad guy can do in a matter of minutes; plug in a USB with malicious code, clip a vampire tap on a cable, plug in a hardwired keylogger and you are completely compromised.

With a Zero Trust approach to your security including physical security, you can limit access and require further permissions. 

That said, and regardless of you hosting your own or outsourcing this, the interaction of every aspect of security and safety systems is most prevalent at the heart of your data and requires a comprehensive 360-degree review.  Your physical data center (on-prem or in the cloud) represents the epicenter of your customers’ and your company data and should be consistently controlled with security standards including monitoring and securing all environmental elements such as power, cooling and fire suppression.  Your data center should be the primary defense against cyber theft and any disaster that requires business continuity. Trained and experienced people keep physical and digital security systems running effectively.  Employee background checks, security and compliance training, regular access reviews, annual penetration testing against your physical infrastructure, and regular patching schedules for all systems are key.  If you outsource, are your third-party data center providers keeping your data safe? In addition to safeguarding infrastructure, do they have a plan for an active shooter?  Do they have a plan that includes hardened barriers at strategic points in the facility?

The world evolves and the only constant is change. Physical security and cybersecurity have the same weak link that is the human element.  It’s been said that “nice people create critical physical gaps.” Studies show that up to 60% of all people entering corporate offices do so without authentication.  Awareness and response training of your employees (not just the new employees) can go a long way to keeping your people, property, and physical assets safe.

I’m not really ready for Zero Trust at home, but we do lock the doors now.

Brian Clayton, IT Services Manager, HBR Consulting

Did you always want to work in IT?

No, the USAF chose that for me.  When I joined, I had no objective in life so when I passed the entry test open to any role I wanted I chose my ten and IT was amongst that list.  I was sent after boot camp to Biloxi to train in the Communications Group (then ISG).  My first job after the AF was not in IT, but that business moved me to manage their computer network, so I guess God was telling me my path.

Tell us about your career path.

It has always been Service to others, whether in in the military, help desk, as an enterprise architect or CIO/CISO.

What business or technology initiatives will be most significant in driving IT investments in your organization in the coming year?

Balancing securing and enabling businesses to deliver at their highest level, such as protecting personal data and work product while opening all doors and windows for employees to exhibit their skills and talents to the fullest.

Does the conventional CIO role include responsibilities it should not hold? Should the role have additional responsibilities it does not currently include?

The CIO’s responsibilities cross all lines of businesses.  I believe lines can only be drawn with mature leadership teams.  Understand your role and how it affects and is affected by the others on your team.  The CIO must also be an enabler not just a wall.

What does a good culture fit look like in your organization? How do you cultivate it?

A team respecting their role on the team and the expertise that surrounds them.  This doesn’t mean to sit still, it means to evolve together, welcome new team members, congratulate those who graduate and move to other teams.  Understand sometimes people suck, we all do at some point.  But the respect and commitment to the team will get you out of those holes and allow you to move forward again.

What roles or skills are you finding (or anticipate to be) the most difficult to fill?

Technically skilled who can have user empathy balanced with being technically skilled.

What’s the best career advice you ever received?

Deliver on your promises and share the rewards with all who joined in on your battles.  Those people that challenge you the most are setting the bar for your next achievement.

What has been your greatest career achievement?

To love and be loved by those I have worked with along the way.  Don’t destroy the path behind you.  It is a part of you forever.

Looking back with 20/20 hindsight, what would you have done differently? 

Changing my mistakes in the past might very well change where I am today.  Physical features of weight aside, I am happy where I am today.  Just learn from those mistakes for tomorrow, look forward.

Info-Tech Research Group

Ransomware is now a daily news item. Having an effective and formalized response plan in place is more important than ever. Organizations are considering how to prepare and respond, whether they need cyberinsurance, and how it all works with their business continuity.

Join us in this webinar where we will address how to:

• Assess your ransomware preparedness.
• Document a formal response plan.

View Webinar

The Better Business Bureau’s Women in Business Networking (WiBN) program is thrilled to announce the 2022 Women of Impact honorees, as well as Jeanne Porter Career Achievement Award recipient.

Women of Impact honorees are dynamic professional women who have been recognized for inspiring and encouraging those around them to actively challenge the status quo, working to improve their communities, develop their employees and advocate for women in general. Rather than being content with others just watching them work, these women involve those around them in their endeavors thereby increasing their collective impact. They understand we are “BETTER TOGETHER.”

Melissa Cutcher, Technology First, will be the recipient of the 2022 Jeanne Porter Career Achievement Award. This honor is presented annually to a woman who continues to inspire, influence and impact the business community and the world around them well beyond their initial recognition as a WiBN Top 25 Woman. This award is meant to recognize an impactful professional legacy, like that of Jeanne Porter, founder of WiBN.

2022 Women of Impact include:

• Sheri Aldridge, New Beginnings for You
• Molly Bardine, Chaminade Julienne
• Cassie Barlow, Col. USAF Ret. & SOCHE
• Judy Budi, Graceworks Lutheran Services
• Janet Carpenter, Sophie‘s companions for Veterans/Sophie Kerrigan  For the love of Animals Foundation
• Joyce Carter, Montgomery County
• Pamela Cone, Aviatra Dayton & Curated Conversations
• Lissa Cupp, Big Rocks of Life & Style Encore
• Angela Dugger, National Alliance on Mental Illness
• Lois Elrich, Real Change Business Coaching
• Denise Henton, Single Parents Rock
• Karlee Mason, Picnk, LLC
• Anita Moore, A. Moore Consulting
• Dr. Shanee Pacley, Wright Patterson Air Force Research Laboratory
• Robyn R. Razor, Mount Carmel East
• Dr. Rhonda Smith, Divine Core Transformation & Renewed Health Care Practice
• Yvonne Turner, BSN, CHPN, CNS, Ohio’s Hospice
• Lisa Wagner, Levitt Pavilion Dayton
• Natalie Walters, WKEF/WRGT
• Erika Ward, Ronald McDonald House Charities of Dayton

Cadre Information Security

You’ve probably heard about it. Maybe you wrote it off as just another product on your cybersecurity bingo card? It is Extended Detection and Response (XDR)—cybersecurity’s “next big thing.”

Could it be the security management technology of your dreams? Let’s find out. We’re diving right in to give you an up close look at the technical evolution that vendors seem to be going gaga over. And, we’ll let you judge for yourself.

What is XDR Anyway?

Before we define XDR, it might be helpful to create context with Endpoint Detection and Response (EDR). As endpoints proliferate, organizations are focusing more attention on securing workstations. To do this, EDR provides two essential functionalities:

1. Continuous monitoring and threat detection.
2. Follow up of automated responses to threats discovered during the monitoring phase.

While EDR provides essential visibility and control over threats to endpoints, threat actors do not focus solely on laptops, desktops, mobile phones, and other devices. Rather, they find the entry point of least resistance and escalate their privileges to move laterally until they reach their intended target. 

To block and disrupt threats effectively, organizations need to go beyond EDR with extended, real-time visibility into security events not only for your endpoints, but for cloud workloads and the network. XDR achieves this by collecting and correlating data across all channels to enable visibility and context into advanced threats. After alerting analysts, threats can be analyzed, prioritized based on risk, hunted, and remediated to prevent breaches and data loss.

But I Have a SIEM for That

As with many security solutions, some features of XDR and SIEM overlap. Because of this, customers tend to ask if XDR adds value in environments that already have a SIEM solution deployed.

The distinction starts from the very beginnings of each product. SIEM had its genesis in compliance. Over time, SIEM evolved to a threat and operational risk platform, pulling data from disparate sources, performing automated analysis, and alerting human analysts. However, it does not include some of the broader functionality that XDR encompasses.

Unlike SIEM, from day one XDR was developed to focus on threats and to provide a single platform for deeper and narrower threat detection and response. Seen as the next generation of EDR, XDR includes additional functions like antivirus, firewall, and of course, EDR.

More specifically, XDR differentiates from other product categories in three ways:

1. Level of turnkey integration is much higher and does not require expensive, labor-intensive calibration.
2. Squarely focused on threat detect and incident response and have a higher quality detection and analysis lab.
3. Generally built on cloud-native architectures and can be rapidly deployed.

Is XDR Right for Your Business?

As vendors begin to take their XDR offerings to market, we have seen it appear in different forms—hardware companies adding standalone XDR products while traditional enterprise security companies add XDR as an extension of their existing platform. Given the range of options, there is certainly an XDR for every need.

But, is there a need for every XDR? Sometimes you don’t know until it’s too late. Or instead of waiting, you can try finding your security program holes through a pen test. Read more in our blog, What are the different types of Pen Testing?

Greg Franseth, Cadre Information Security

The internet is chock-full of cloud growth stats. We all know it’s happening, but do we really know how great our security risk is? According to our friends over at Netskope, in 2020, the number of apps in use by the average enterprise increased by 20%[1]. Organizations with 500-2,000 employees used on average 690 distinct cloud apps. Of those apps, 47.5% have a “Poor” Cloud Confidence Index™ (CCI) rating—meaning enterprises should avoid using these apps and take steps to migrate to safer app alternatives.

And that’s just a glimpse into the current state of cloud security.

With so much of today’s work rooted in the cloud, it’s easy to get wrapped up in doing everything you can to improve your organization’s cloud security posture. But these days what we’re seeing is that IT teams need to take a pause and revisit these 3 need-to-know security facts.

1. Everyone’s cloud security stack still needs to be tailored.

“More cloud security doesn’t equate to stronger security” is something you have probably read time and time again. But it’s worth repeating. Why? Because as the attack surface keeps expanding, organizations keep falling into the same pattern. There’s an issue, they buy a security solution to stop the hemorrhage or meet a compliance requirement, and then put off dealing with the complexity issues for another day.            

The real problem is that cloud complexity combined with too many different and uncooperative security solutions leaves you with no shared intelligence.

To overcome these challenges, you must streamline your security stack and include must-haves like: Cloud Access Security Broker (CASB) as part of your Secure Access Service Edge (SASE), Identity and Access Management (IAM), threat intelligence, and next-generation firewalls. And do so in a strategic manner that ensures all solutions work in harmony.

2. Constant vigilance is the only way forward.

So much of the discussion on cloud security revolves around technology. However, it’s not the IT team’s problem alone. Today, people are the weakest link in security. Even with a cloud-based SWG, if an employee clicks on a phishing email and enters their credentials, your whole cloud ecosystem could be at risk as attackers stealthily move and escalate privileges. While artificial intelligence (AI) and machine learning (ML) technologies help with predicting these events, and isolation layers can keep phishing attempts and malware off endpoint devices, awareness is still a central pillar of keeping the cloud secure.

3. You have to use ML/AI to take the load off analysts so they can keep a human eye on end users. 

The cloud can be safer, but you’ll always need real-time monitoring and analysis of end-user behavior. This will allow you to spot irregularities that deviate from normal usage patterns (did they modify audit trails, did they repeatedly try to download data, etc.). And at the other end of the spectrum, when that employee departs the company, do you have a process to ensure they can no longer access your cloud storage, systems, data, customer information, and intellectual properties?

To address these issues, consider completing an assessment before buying any new solutions that use AI/ML to complete low-level, high-volume tasks to take the burden of human experts such as:
 

·       Intrusion Detection & Response

·       Extended Detection and Response

·       SIEM


Cloud-First Must be Security-First

As a bonus fact, to reap the benefits of cloud computing, organizations must put security first on the list of priorities. While cloud is more secure if you take the right precautions, it takes constant evaluation and re-evaluation to ensure you have the best solutions for your ecosystem. At Cadre, we work with the best cloud security providers in the business and take an unbiased approach to review and recommend how to best secure your unique environment and reduce risk.

To learn more about integral parts of today’s cloud security, watch our recorded webinar, Demystifying SASE - A Cloud-Based Approach to Network Security.

Monique Little, Cadre Information Security

News of companies getting hacked is omnipresent. The fear, uncertainty, and doubt as a result of these reports can make you want to give up. But don’t let that dissuade you—there’s still hope and it resides in an unusual fact: more than 99% of today’s cyber attacks are human-activated.¹

You might think to yourself, how is that good? Well, for one thing, human behavior can be changed. It just requires a strong Security Awareness Program.

Security Awareness is More than Phishing Campaigns

Running phishing simulations is a common security education practice, but it is only one component among many other tactics. When we boil it down, Security Awareness is teaching employees how to develop a strong security mindset both at work and at home. That could mean using townhalls, chat channels, newsletters, and informal and formal trainings to enhance cybersecurity best practice knowledge.

Security Awareness is … not holding the door open for the person behind you, even though human nature tells you it’s common courtesy. It’s learning that threat actors leave USB drives behind and hope someone will plug it into their computer to see what’s on it (it’s in our nature as humans to be curious). It’s being aware that hackers use social media to see what your title is at work so they know who to target. It’s training employees to trust, but verify. Just because she says she’s there to fix the printer and name-drops so that it sounds legit, doesn’t make it so; always verify before leading anyone into your office space. Remember, these are just a few examples of social engineering attacks, not an exhaustive list.

When Security Incidents Happen

When an attack or breach occurs, what often has the most influence on the end result is how the organization reacts—and, how they learn from the event.

Post-event, it is critical to evaluate using these questions:

-How did the targeted user react?
-How did IT react?
-What went great?
-What opportunities are there for improvement?
-Are security tools configured correctly?
-Do you have a Security Awareness Program in place? How did it prepare the affected parties?
-Do you know what to do in case of a suspected incident?

What to Do: The #1 Rule

Knowing what to do in the case of a suspected incident is paramount. Messaging to all staff needs to be clear and encourage communication and participation. Good organizational responses should emphasize positive, defensive behaviors. This is true from the CEO to the receptionist, and to the head of IT. No matter who you are, if you have the slightest suspicion that you are experiencing an attack or have been infected with malware, don’t wait to confirm. End users need to know that IT departments would prefer false alarms than be kept in the dark about potential attacks. If anything gives an end-user pause, it should be reported immediately to IT.

It is important to note that an event or an incident is not synonymous with the B-word (rhymes with reach). Anything that happens on a network—even a false positive—is categorized as an incident. That doesn’t mean that your data has been compromised. Organizations can tie themselves in knots in fear of a public relations fallout only to discover there was never anything there. Don’t allow nomenclature to dictate how you respond.

Be Sure Users Know This

Do the users in your organization know how to contact your IT department in case of a suspected incident?

Make sure that all employees know how to contact IT during business hours, after hours or on weekends/holidays. And most importantly, how to contact IT if their email or whole computer has been compromised. Users should have email addresses, desk phone numbers and cell phone numbers of the appropriate IT contacts.

Debunking the Biggest Cybersecurity Misconception

The IT and security team are solely responsible for the organization’s cybersecurity posture. That couldn’t be further from the truth. But it underpins the importance of starting, and maturing, a Security Awareness Program.

Everyone in the organization is responsible for remaining diligent to protect business, employee, and client data. However, not everyone thinks this way. End-users must be educated in the role they play, and how “good” cybersecurity behavior isn’t simply beneficial to the business, but their own personal lives.

There is no technology that can stop all social engineering attacks since they rely on exploiting human nature—you must have ingrained security awareness as your first line of defense.

Having a strong Security Awareness Program can help to minimize security incidents within your organization. If employees know what to look for, they can do their parts to help keep your organization’s data secure. If you have questions about or need assistance in building a strong Security Awareness Program within your organization, please contact us.