We recently shared five smart moves for IT leaders to focus on when creating an effective cybersecurity strategy. They included basic care like updating an employee security policy and avoiding physical theft, but they also covered monitoring digital footprints in order to thwart malicious insider threats. In this blog post we dive into some additional risks your organization may be facing, and what you can do to stop them.
3 Additional Cybersecurity Smart Moves
Unfortunately, malicious insiders aren’t your enterprise’s only threat – you should also be concerned about vendors and employees of third-party software. About a quarter of all reportable HIPAA breaches involved business associates, many of whom are vendors.
Healthcare and financial enterprises are required by regulations to exercise due diligence in hiring and overseeing vendors. Even organizations that are not subject to such regulations can benefit from reviewing vendor security and overhauling privacy practices.2. Hit Cybersecurity from all Angles
Some healthcare security consultants recommend a three-pronged approach to vendor security. Even if healthcare isn’t your industry, we can all benefit from employing these tactics:
- Access policies that extend beyond compliance to include things like proprietary information and trade secrets; require these for all vendors, not just those bound by regulations.
- Practice due diligence when hiring vendors by requiring them to complete a privacy and security questionnaire. For instance, an enterprise could ask how security is integrated into the product or software development lifecycle and whether the security of software is penetration tested internally or externally. For cloud products, disaster recovery should be covered in depth. In addition, enterprises should make sure they have the right to audit vendor adherence to the contract.
- Require signed confidentiality agreements based on the risk profile of the organization.
ISACA, an international professional association focused on IT Governance, offers a handy vendor security audit checklist. As always, WEI’s security team is also ready to help strengthen your cybersecurity strategy.
3. Fortify Mobile, IoT and Device DefensesWhile most enterprises have malware detection software on servers and laptops, and protect the network perimeter with firewalls and intrusion systems, many do not take the same type of care with mobile devices, networked Internet of Things devices, and other devices such as printers and routers.
Wireless and Bluetooth-enabled devices can allow hackers to create a backdoor into a network’s security infrastructure. For instance, in 2013, the U.S. Department of Homeland Security issued a warning about 300 medical devices such as ventilators and laboratory equipment that relied on hard coded passwords, which are passwords that are included in firmware as code and can’t be changed without changing the software code. In fact, this is a common problem in many applications and devices, such as printers. According to Naked Security, “Printers are a generally overlooked bit of network infrastructure, despite the fact that modern, networked printers have many of the same attributes as regular desktop systems, and might store thousands of pages of confidential document images. In recent years, printer vendors like HP have been forced to rush patches to users after critical vulnerabilities were discovered in firmware run by their printers.”
In addition to maintaining an inventory of servers and laptops, it’s a smart move to maintain an inventory of all other devices that interact with your network and check regularly whether the manufacturer has issued any new firmware or software to fix security issues. For instance, sometimes a device manufacturer will release a firmware update to correct a hard-coded secret, and the problem can be fixed with a simple firmware update. If such a solution is not available, enterprises would be wise to limit network access to vulnerable devices.
Mobile security defenses should be fortified as well. Malware and virus protection is now available for all popular mobile platforms through a platform’s app store. Products include Bitdefender Mobile Security, F-Secure Mobile Security, Lookout, McAfee Mobile Security and Norton Mobile Security.
Before investing in software and/or hardware security solutions, consider starting a dialogue with an IT solutions provider that has knowledge of and experience with these enterprise security solutions. The right IT solutions partner will take the time to fully understand your IT environment and organizational goals in order to recommend the right solutions to meet your business needs. These days, enterprise security is an all-hands effort that requires collaboration across departments to identify security risks and opportunities.
To better understand the new and trending enterprise security threats, read our white paper, Effectively Managing Cybersecurity: Top 5 Enterprise Threats.