By Lloyd McCoy
Manager, Market Intelligence
Arrow ECS and immixGroup, an Arrow company
While identity access management is a vital tool in protecting our networks, one of the more neglected aspects of security is people.
Most people within and outside of the IT department have network access but many users do not fully understand the risks and vulnerabilities to which a network can fall victim. That has prompted a move within security circles to emphasize what’s increasingly known as “cyber hygiene.” This is the practice of making sure we clean up after ourselves when we access networks and sensitive data.
Through a series of steps, cybersecurity is improved and our networks are protected in the online environment. For many organizations, this can mean organizing hardware and devices, monitoring the network, adding or removing software and creating a formal framework for how we handle information security today.
That’s tougher than it sounds. Users will almost always take the path of least resistance – for example, sharing passwords. For this reason, cyber attacks are shifting, with identity becoming the primary attack vector for bad actors.
A 2013 report from Verizon indicated that 76 percent of breaches came from compromised credentials. Unfortunately that statistic hasn’t improved much since then, especially in government.
Dominic Cussatt, acting chief information security officer for the Department of Veterans Affairs, has said that government “can’t seem to drive cyber hygiene over the goal line because we are distracted by the crises of the day and distracted by new or innovative technologies.” According to Cussatt, we need to “focus on the basics.”
With that said, let’s look at some of those basics, to get a better handle on how to actually make cyber hygiene work.
Education and practice, practice, practice
People need to understand how important cybersecurity is to the organization and have agreement across all functional areas of best practices for security and awareness of common areas of cyber attack.
One of those best practices is to make sure that roles-based access should be set up immediately. No one should have root-level access. Go back quarterly to assess whether the same individuals are needed in the same roles.
Practices also need to be refreshed, training needs to take place more frequently and practice exercies need to increase. And senior leaders need to be involved, because an organization with bad cyber hygiene often starts at the top.
Harden the workforce
People need to have a sense of ownership in the security process – which includes understanding that their actions have consequences.
Too often, we push risk away from people. As a result, the dangers in poor cyber hygiene are not real to them.
Make it real to make them tougher. For example, corporate credit cards should be taken from employees who don’t follow protocols carefully. Right now, that kind of downside risk to poor practices is not as clear as it should be.
Improve the user experience
When the user experience is improved, we improve adoption, which in turn improves security. Consequently, the user experience for network access needs to feel easier to get people to buy-in faster.
One obvious way to do that is multi-factor authentication with single sign-on. Because users don’t need to manage multiple passwords, accessing applications is faster and easier. The security is baked into the user experience. We’ve taken away one potential avenue of vulnerability, and we’re one step closer to optimal cyber hygiene.
Down the road, we should even consider non credential-based identities. Both the Department of Defense on the government side and AETNA in the private sector are looking into this.
But the overall push here should be to constantly review practices, educate people on those practices and work constantly to update practices and roles as necessary.
Our adversaries are betting on an unchanging, stagnant security environment. We fight that stagnation with better cyber hygiene.
This story was originally published on the IDG Contributor Network’s Government InfoSec blog.