This is the year to get all the security ostriches’ and data loss non-believers’ thoughts out of the sand and become proactive. Too many organizations have their heads in the sand leaving their other vital parts exposed. It’s clear that we should all address the concerns surrounding these facts:
- Cyber attackers are focused on the data of small to medium-sized businesses. Fraud attacks will become more coordinated and disruptive, and businesses need to proactively safeguard their data.
- Major multi-million dollar fines for healthcare organizations from HIPAA breach audits will continue.
- There was a time when having an Apple computer may have helped to protect you. Not anymore.
- Social networking sites remain a significant threat to data security.
- IoT devices are the new gateway for hackers and for lateral movement of malicious code.
- There’s no end in sight for lost or stolen unencrypted laptops, USB drives, cellphones, and other portable devices.
- The needed education for the user community and key individuals tasked with protecting assets will require additional budget and continuing professional education.
- The proliferation of cybersecurity laws and regulations is not stopping.
What to do now
While any information security process improvement—including enhanced and auditable security controls, such as true penetration testing and social engineering attacks, proactive protection and automated event monitoring—are advisable, and required by many laws, there are 10 key areas that you may want to focus on first, including:
- Risk assessments. Accurate, thorough and repeatable assessments are required to meet HIPAA and many other data security laws. Don’t shortchange or underestimate your risks by limiting your assessment scope. Currently, an effective risk assessment and risk management program is one of the key OCR Deskside Audits requirements. It is also one of the top five reasons auditees fail an investigation or have had a data breach. Focus on performing a risk assessment over a period of time, not just a point in time. It will give you an evidence-based picture of how well your controls are operating for the periods assessed.
- Data encryption. Effective, enterprise-wide data encryption wherever your data is stored, transmitted (i.e. email), accessible or located on portable (laptops, thumb drives, cell phones, backup tapes, etc.) devices is a requirement and traditionally has a highly significant return on your protection investment.
- User access control and regular access recertification. Your users are your single greatest data strength if adequately trained and audited, and your largest weakness if they are not. Use a process of least rights; i.e. the person accessing the data should only be able to interact with the data required to complete their documented job description. No more, no less. Don’t forget to include the personnel with enhanced access, those with superuser, domain, or administrator levels of access, as they hold all the keys to your data. As people move and change jobs within an organization, it is critical to re-certify all users’ access on an ongoing basis.
- Vendor audits. OCR stated in May 2016 that the Business Associate (BA) Agreement may not be the only HIPAA compliance assurance required. It is advisable, with the ever-growing and enhanced use of outsourced services, Cloud vendors, managed security providers, and third parties who somehow interact with your protected data, that you, as part of your risk assessment, fully document the need for those additional assurances, then gather the needed data to assure their compliance with the laws and regulations that affect you. This is critical as your vendors are normally seen as your second-largest risk area for data loss.
- OpenDNS, “Umbrella” agents and other tools. It’s time to start exploring these types of advanced services to protect you from malicious access to data, your users from phishing, pharming, malware and other threats, even when not connected to your local network.
- Whitelisting. This is the process of identifying and allowing only those sites and internet addresses approved by the organization, which are legitimately required to send or receive data from your organization or communicate with your company personnel.
- Data exfiltration testing. Many companies do a great job blocking access and data transfers from the outside, but few test and block data being sent from the internal network to the internet. Knowing and limiting what data leaves your company and in what volume, is just as important as blocking malicious incoming data.
- Security awareness training. Don’t scrimp here, perform and test your training—at hire, at least annually, and in response to any impermissible disclosure, security incident or data breach. Testing your training can be accomplished with social engineering attacks such as phishing campaigns or other attempts at gaining data or access, such as riding the coattails of an employee to gain access to a controlled area.
- Advanced penetration (aka “hacking”) testing. Find out what the bad guys can actually get to. Penetration testing is NOT a vulnerability assessment. They are two different processes. Vulnerability assessments report on identified or suspected weaknesses in your technological environment, whereas a penetration test takes those vulnerabilities and adds actions required to see if the vulnerability can be exploited to bypass your protection processes and technologies.
- Repeat all of the above. Implementing effective information security is not a one-time process or action. Summarily, the testing, assessments and process improvements needed are not solely the responsibility of your IT department. Technical, administrative, and physical risks must be measured and taken into account across the enterprise.
You cannot protect yourself from an unknown or unmeasured risk. Ignoring the needed actions will only accelerate your chances of exposing your organization to a data loss, disclosure or breach.
Carl Cadregari is a Certified Information Systems Auditor (CISA), Certified HITRUST CSF Assessor (CCSFP) and is in the process of completing the Shared Assessments Certified Third Party Risk Professional (CTPRP) Program and is an executive vice president in the Enterprise Risk Management Team at Bonadio.