This is an original article by Kathleen Martin, MEP's IT Security Officer and a Certified Information System Security Professional.
Almost weekly we hear about another company or organization that has fallen victim to a cyber-attack. We know cybercriminals are more persistent and we need to be more diligent about protecting information.
I think in our personal lives most of us are trying to be more careful. Gone (I hope) are the days of setting each of our personal passwords to 123456. Yet, we don’t seem to carry the same level of concern into the office. Since our IT professional surely has a handle on our cybersecurity, I shouldn’t worry…right?
The fact is, we as employees play a vital role in protecting the company we work for, and it only takes one wrong click to compromise a business. A recent study from Willis Towers Watson found that 90 percent of cyber incident claims result from some type of human error or behavior. Here are five questions and answers to help guide you on your journey to making your company more secure.
1. What are the top cyber risks my company faces?
A company’s risk varies considerably based on its unique operating environment so there are many things to evaluate and consider.
Do you have many employees who use email? Spear phishing might be a top risk for you. Is every device with an IP address on your shop floor secured? If not, malicious code, unauthorized access and use or data exfiltration could be top risks.
Performing cybersecurity risk assessments should be a key part of your organization’s information security management program. Everyone knows there is some level of risk involved when it comes to a company’s critical and secure data, information assets and facilities. But how do you quantify and prepare for this cybersecurity risk? The purpose of an IT security risk assessment is to determine what security risks your company’s critical assets face and to know how much funding and effort should be used in protecting them.
The NIST Risk Management Framework (RMF) is a great resource to get started. The RMF provides a structured, yet flexible approach for managing the portion of risk resulting from systems your company can control and business processes of your organization.
2. Is it ok to use a password manager?
While using a password manager for your personal online accounts is a terrific way to stay secure, remember to check your company’s policies before using any software at work.
Password managers can help you to store your passwords as well as help you to generate unique ones for each site. However, keeping all your passwords in one place is risky. It’s important to understand how your passwords are protected and if they are encrypted. There are various commercial products available that work with multiple devices and browsers, so do your research to find one that best meets your needs.
3. Does my company comply with leading information security frameworks or standards and does it need to?
Protecting your intellectual property and sensitive customer and employee information can give you and your customers peace of mind. It is also a sound business practice when you look at the financial impact, decrease in productivity and loss of trust a cyber-attack can cost you.
For companies in the Department of Defense (DoD) supply chain, such protection is an absolute must. These companies are required to meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards or risk losing their DoD contracts.
Here are several examples of security frameworks or standards that can help you understand and mitigate your risk: NIST Cybersecurity Framework, NIST SP 800-53 - Security and Privacy Controls for Information Systems and Organizations, the NIST MEP Cybersecurity Self-Assessment Handbook, and the Payment Card Industry Data Security Standard (PCI DSS). It’s easy to get confused about which document you should reference, so here’s a little more information about each:
- The Framework is more high-level (and more concise) compared to NIST SP 800-53, which is a catalog of security and privacy controls. The Framework is more manageable for executives and decision-makers who may not have technical backgrounds. It also focuses on how to assess and prioritize security functions and references existing documents like NIST SP 800-53, which is best used by technical staff who will implement security and can understand its more detailed information on which controls to select and implement.
- The NIST MEP Cybersecurity Self-Assessment Handbook will help your company be compliant with NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements. The handbook provides a step-by-step guide to assessing a small manufacturer's information systems against the security requirements in NIST SP 800-171 rev 1, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations."
- The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions. The PCI DSS was created in 2004 by Visa, MasterCard, Discover, and American Express. Maintaining payment security is required for all companies that store, process or transmit cardholder data. The breach or theft of cardholder data affects the entire payment card ecosystem. Some examples of impacts to your company are loss of customer confidence, diminished sales, fraud losses, legal costs, fines, and termination of ability to accept payment cards. Maintaining PCI DSS compliance is vital to the long-term success of a company that processes card payments and keeps cyber defenses ready against attacks aimed at stealing cardholder data. Most small companies can use a self-validation tool to assess their level of cardholder data security.
4. What is two-factor authentication and how do I enable it? Why aren’t passwords good enough?
Two-factor authentication (2FA) is an extra layer of security used to make sure that you are who you say you are. The problem is that usernames and passwords alone are easily guessed, and people use the same passwords for multiple sites. Publicly disclosed incidents reveal that 5,518 records are leaked every minute.
2FA stops other people from easily gaining access to your accounts. When 2FA is enabled, you enter your username and password into the login page. Then, instead of immediately gaining access, you will be required to provide another piece of information. This second factor could be one of the following:
- Something you know – a personal identification number (PIN), passphrase or answers to secret questions.
- Something you have – a credit card, key card, smartphone, hardware or software token or notification from the site.
- Something you are – a biometric pattern of a fingerprint, iris scan or voice print.
If you are unsure whether or not your sites or apps have 2FA, visit TwoFactorAuth.org to find out.
Turn 2FA on for all accounts. See Telesign’s step-by-step instructions for enabling2FA: https://www.turnon2FA.com.
5. Is there an approval process to purchase applications I find that would be useful for my work?
Most companies do have policies about how to purchase software (either boxed/online or externally hosted in the cloud). It is important to know which applications you can use immediately, and which may need further investigation to ensure they are secure enough for your use and the data that will be processed and/or stored within them. Know what is required and work with your cybersecurity professional to go through the required processes to ensure the information will be secured properly.
View the original article here.
If you would like to better understand your cybersecurity risk, you can use the MEP National NetworkTM Cybersecurity Self-Assessment Tool, or contact IMEC at firstname.lastname@example.org or 888.806.4632.