3 Actions for a Better Security Posture

There are many frameworks and security models to refer to when working to secure your organization.  Sometimes it can prove to be overwhelming.  Today I’m going to talk about three action items that will make a significant difference in your overall security posture.  Keeping in mind that there is no silver bullet to securing an organization, these three will certainly gain a great return.

1. Security Awareness Training

Security Awareness Training is, in my opinion, the greatest measure a company can put in place to protect its digital assets.  Knowing that the majority of breaches are associated with human interaction, it is easy to understand why it is important.  A driver for security awareness training at many organizations is compliance.  Compliance such as PCI, NIST, and other frameworks require annual training.  As we have all heard, compliance does not equal security.  In this particular case, it has been proven that annual security awareness training just isn’t enough.  It is important that your staff is trained well and trained often on how to react to things such as phishing and other social engineering measures.  A great security culture ensures that an organization’s staff can communicate openly and educatively about suspicious activity that is seen.  Awareness training can come from online training, onsite training, or a hybrid of both.  Weekly or monthly emails with the “latest” information also keeps users up to date on the latest trends that are occurring.  Many times, organizations have their security team send out weekly tidbits of information to help keep users aware.  This may be a consideration for your organization.

2. Penetration Test

A penetration test is a great way to see where your company stands with potential vulnerabilities.  Not only should the external side of a company’s network be tested, but the inside should be tested as well.  This allows a company to determine risk from attackers that are targeting the outside of the network, as well as determining risk internally.  The risk is not only from an outside attacker that has gained access, but a possible rogue employee as well.  It is also important to have web applications tested.  Many times, web applications house critical data that needs to be protected.  In addition to data, these web applications can be connected to systems internally, allowing an attacker to leverage the web application to gain access to the inside of a corporate network.  A penetration test in these three areas will give a good measurement of the current security posture.  If vulnerabilities continue to exist, the root of the problem should be found.  When a high number of vulnerabilities continue to be found or when there are multiple vulnerabilities, it often means proper policies and procedures may not be in place to ensure that proper patching is occurring or there isn’t enforcement of these policies.

3. Third-Party Access

Unfortunately, this particular control is often overlooked.  A significant number of breaches occur because the third-party vendor has access to a client’s organizational data.  Proper measures should be in place to ensure that your vendors are using unique logins for their own employees.  For example, if a vendor has access to your organization’s HVAC system, they should not be sharing their access to your network with a single ID such as “hvac” that their employees share.  This provides no accountability should an incident occur.  It is also important to have policies and procedures in place to make sure vendor systems that are accessing your organization’s VPN and systems are protected themselves.  For example, does the third-party vendor have the proper security measures on their employee’s laptop that is accessing your organization’s system internally?

Frameworks such as NIST and PCI lay out specific controls that can help with making sure safe practices are occurring with third-party vendors.

As mentioned, these items do not fully cover the security spectrum, but they are great items that can be tackled for an excellent return on investment.  There is no measure that is more important than the other.  After all, the concept of defense in depth is the process of providing many layers of defense and not depending on one (such as a firewall).  It is important to educate, be aware, and maintain proper due diligence to secure your organization.

Mike Miller is a cybersecurity professional with 25 years of experience throughout the IT industry.  He has focused on security, specializing in the areas of Virtual Chief Information Security Officer services, Governance, Risk, and Compliance, PCI, SOC, Intrusion Detection, Penetration Testing, and Incident Response.  In 2011, Mike founded Cyber Protection Group, which was acquired by Appalachia in 2022.  Mike is passionate about mentoring and assisting aspiring cybersecurity professionals and can be found regularly sharing insight on his LinkedIn profile.  When he isn’t fighting cyber crime, Mike loves spending time with his wife and kids, often boating in the Ozarks.