Throughout my career I’ve worked a lot with regulated clients in the financial and healthcare fields and one disturbing trend I’ve seen is the attitude that compliance equals security. Banks in particular are usually required to undergo an annual exam by their regulating body and often times an independent third party audit as well. I’ve heard Presidents and CIOs alike utter the words “We received a 5/5 on our last exam, our security must be top notch!” but when I look at the firewall configuration I see permit any statements which are a big no-no on the IT Security field or I see Active Directory service accounts with passwords that haven’t been changed in 15+ years.
Organizations need to change their view on compliance from equating to security to setting the foundation for security. IT Security is nearly impossible without a strong compliance policy that is followed. Once these policies are in place, IT systems can be deployed and configured to follow the policies and IT security can start to take shape.
Take for example a policy that states the organization will maintain a stateful-packet inspection (SPI) firewall to protect the internet connection. That policy is a good start, but still allows for a misconfigured DMZ to allow all traffic to pass unfiltered. Security comes into play when the administrator starts looking at all traffic flowing through that firewall and identifies only those servers that should communicate between zones and restricts that traffic to ports needed for operation.
Or take for example a policy that states the organization will require all users to change their passwords every 90 days and users must use complex passwords. Another good start, but how many administrator accounts or service accounts have the “Do not force password change” box set because that core app breaks when the service account is changed? The next step for this organization is to write a procedure guide for changing that service account and updating the core app to use the new password, then scheduling a recurring task to ensure this password is updated every 90 days.
Now that the organization has started to look past the policies and into the actual technology that protects their networks, it’s time to think about the organization’s greatest security risk – end users. It’s an old-school thought process that the internal network is sacred and we should only protect the perimeter. In the 90s, a firewall at the internet connection was considered sufficient to protect the network. Metaphorically, cyber criminals aren’t focusing on coming through the front door (the firewall), they’re coming through the side window that’s wide open (the end user). By using social engineering, attackers are convincing unknowing end users to open malicious web pages or open suspect emails that allows them to gain control of their PC. Suddenly the sacred internal network is compromised.
The biggest shift comes from the notion that IT security is the IT department’s job when in the modern technical world, security is everybody’s responsibility. This requires significant effort in educating and training end users. Can your end users tell the difference between a fake antivirus program that’s really malware and the organization’s legitimate antivirus program? Does the receptionist know to check IDs of the technology vendor that comes in against a log of approved vendors or are anyone who says they’re with the ISP allowed into the network closet “to check the connection?”
End users must be conditioned to not be afraid of calling IT for help. If the end users are afraid of asking for Tier I support in Microsoft Office in fear for being ridiculed, how are they going to feel confident in calling IT when they clicked on a link in an email that didn’t go where they expected? Organizations must shift IT Security from being a punitive action to a welcoming one for their end users and encourage open dialog. This may often start with IT itself with updates to end users on what’s going on and what to look for in recurring emails or newsletters, maybe even podcasts.
IT security is not an easy achievement, so it’s best to start in small steps and gain momentum. If your organization needs help getting started, contact RSM’s technology consulting professionals at 800.274.3978 or email us.