Why compliance does not equal security

Why compliance does not equal security

We asked industry experts: ‘How can technology leaders ensure the work practices of their colleagues do not put their company’s cybersecurity at risk?’ Here is the response from Morey Haber, CTO and CISO at BeyondTrust.

Technology leaders have a daunting challenge ensuring their colleagues do not put the organization at risk due to poor cybersecurity hygiene.

While the organization may recognize the importance of cybersecurity, have obtained a variety of security certifications and prioritize budget to ensure a minimal risk surface, the cliché ‘compliance does not equal security’ is more important than ever considering the changes in the corporate workforce.

Colleagues at home are more relaxed, and as an example don’t lock their screen when they walk away from the laptop. They generally have unlearned many of the security best practices, physical and electronic, working from a home environment. This has increased the risk of being susceptible to attacks like social engineering and worse, and when they finally return to the office, need to be retrained on cybersecurity basics and best practices.

In order to avoid this destructive path of unlearned behavior, technology leaders should consider some changes to their security, compliance plans and testing to reinforce best practices. Consider the following:

  • In lieu of an annual penetration test that focuses on email phishing, consider a security posture that provides random continuous testing for phishing to avoid employees from letting their guard down.
  • Most organizations perform annual cybersecurity awareness training. This tends to get muted when working from home due to the relaxing nature of most user’s environments. Businesses should consider revising their training to include the home work environment threats and perform training on a more frequent basis to reinforce this knowledge.
  • Technology leaders should consider additional hardening and security changes on devices operating at home. These include:
  • Removing local administrative rights and enforcing least privilege application control
  • Moving endpoint security solutions to the cloud for management such that devices are not dependent on VPN for security monitoring or patch updates
  • Removing or limiting VPN access to only critical systems within an organization and preferably use a secure remote access technology to provide application access. This eliminates protocol tunneling and only provides access at the application layer mitigating the threats of malware and ransomware.
  • Review, and if necessary, redefine the access policies and segmentation to sensitive data that can be obtained by a worker in a home environment. This includes not only reviewing if the data is accessible on the screen, but who can potentially download the data in human readable form like spreadsheets.
  • If your organization has embraced Microsoft Office 365, consider disabling all Legacy Authentication Protocols, enabling multifactor authentication and switching mobile users from MDM (Mobile Device Management) to MAM (Mobile Application Management). This will reduce the risk surface by only allowing authorized mail programs to connect to O365 and mitigate the risks of MFA bypass using legacy mail clients. This is especially important for home users who think it is acceptable to connect their own home computers to corporate email for convenience.

Technology leaders can help their colleagues not make cybersecurity mistakes especially as they work from home. A few changes can make a very big difference in your organization’s risk surface. Just being compliant is not good enough. Rethinking how people work from home coupled with the evolving threats they face can help deduce the changes needed to make everyone more secure and not complacent.

Browse our latest issue

Intelligent CIO North America

View Magazine Archive