Protect IT—A Combination of Security Culture and Cyber Hygiene Good Practices October 24, 2019 Charles Goldberg | VP, product marketing More About This Author > In the spirit of National Cyber Security Awareness Month (NCSAM), my colleague Ashvin Kamaraju wrote about how organizations can use fundamental controls to secure their information technology. Effective digital security doesn’t end at “Secure IT,” however. It’s equally important that organizations protect their IT assets against things like software vulnerabilities, unsecured Wi-Fi connections and unauthorized data exfiltration. So how do organizations get started? To “Protect IT” is to abide by good cyber hygiene practices. Though implemented by security professionals, these guidelines in many cases require the entire workforce’s cooperation. Employees won’t follow along for nothing; they need to know why those security behaviors matter. Hence the need for a robust enterprise-wise security culture. Building a Robust Security Culture The basis of building a strong security culture is a security awareness program that has received deliberate investment from the organization over time. With that said, The Huffington Post has devised a few tips that organizations can use to create a security culture. These recommendations are instrumental for enlisting the help of the workforce to promote cyber hygiene best practices. Secure executive buy-in: A security awareness program will have limited effectiveness if it doesn’t receive executive support. That being said, executives can’t lay the groundwork for a security culture simply by approving the formation of a training program. They need to be vocal proponents of it, and they should participate in the training activities side-by-side with their employees. Such involvement will help create a sense of unity regardless of rank around the importance of digital security. Create security polices: Security works best if the organization has written security policies to which members of the workforce can refer. These policies should clearly identify what behavior is appropriate so as to avoid confusion. For the sake of creating a cohesive culture, these policies should put forth the same behaviors for employees, executives and contractors without making exceptions based on rank or location. Make the security awareness program engaging: A security culture won’t emerge out of a boring security awareness training program. Fortunately, security personnel can help raise their program’s engagement by regularly conducting training sessions that use gamification and group activities to teach specific activities. Needless to say, these trainings should focus on security issues that are specific to the organization so as to maximize the workforce’s participation. View security as an enabler: Employees, executives and contractors are all human. They’ll make mistakes, and they don’t want to be punished for it. It’s therefore important that security teams frame the security awareness training program as a positive contributor to the business. Along those same lines, they should make it easy for anyone to report a potential security issue, and they should always strive to leverage security mistakes as opportunities for learning, not punishment, when they do occur. Help telecommuting employees: Given the rise of mobile and the cloud, organizations would do themselves a great disservice if they exclude telecommuting employees from their security training programs. Through these initiatives, security personnel should make sure that this remote workforce has everything it needs to work securely. That includes setting up a VPN through which remote employees can access work assets. Proper Cyber Hygiene for Employees and Security Teams Once organizations have an effective security awareness training program in place, they can use it to raise awareness of and support for certain key cyber hygiene practices with the purpose of building a robust security culture. These guidelines should include the following: Set up a Strong Password Policy One of the most common ways by which malicious actors perpetrate account takeover (ATO) fraud is via password brute forcing attacks. These types of campaigns are meant to guess users’ passwords by successively attempting commonly employed combinations as well as those that use well-known dictionary words. Once they’re in, malicious actors can leverage a compromised business account to steal sensitive information and/or stage secondary attacks. Security professionals can help counter the threat of ATO fraud by instituting a strong password policy that requires all employees to create a strong, unique password for their accounts. Per Symantec, they should specifically require passwords that contain at least 16 characters comprised of upper- and lowercase letters, numbers and symbols. Infosec personnel should also help employees store those passwords safely such as via the use of a password manager. Implement Multi-Factor Authentication Of course, passwords don’t provide absolute protection for business accounts. Digital attackers can use malicious website and phishing accounts to trick users into handing over their password and, by extension, they key to their account. That’s why security professionals need to take additional steps to safeguard employees’ accounts. One of the most important actions these experts can take is the implementation of multi-factor authentication (MFA). This security control adds a step to the login process by requiring employees to supply a biometric identifier (such as a fingerprint) or a physical device (such as a YubiKey) once they’ve entered their password. Through this means, infosec professionals can help prevent employees’ accounts from ending up in the wrong hands even if their passwords have been stolen. Employ Device Encryption Just as organizations’ security defenses are evolving, so too are digital attackers’ tactics, techniques and procedures (TTPs). Malware actors have designed Andr/FakeKRB-G, MisoSMS and other threats so that they’re capable of intercepting users’ SMS codes, a common delivery method for two-step verification (2SV) codes. These types of threats present one means by which bad actors can circumvent certain MFA deployments. With that technique in mind, security professionals should use encryption to make their sensitive data inaccessible to those who might have gained access to the system. They don’t make it possible for digital attackers to steal their encryption keys, however. In response, infosec experts should use hardware security modules (HSMs) to manage their keys effectively. Just the Beginning… The cyber hygiene practices identified above are just the beginning for organizations looking to strengthen their digital security. They can further augment their security by investing in solutions based on fundamental security controls. Learn about Thales’ enterprise security tools here.