Our cyber security expert, Ashwani Talreja, has put together some of the most common mistakes he encounters and advises his approach to remedying them. The list is not exhaustive but serves as a guide for organisations looking for a high level of robustness and resilience of their provisions.
1. Not Segregating IT And Security Resources, Including Budgets
In our experience, organisations that don’t achieve a basic maturity level of cyber security usually have the same internal issue: that is, they have one single team responsible for both IT and Security, often due to budget and resource constraints. If the same team is responsible for both, Security often gets overshadowed and IT takes precedence. Our advice is to segregate IT and Security provisions – even if it’s only two or three people. A minimum of two people are required to ensure security succession planning, in case one person is on leave or not available.
2. Not Securing Networks With The Help Of Segregation And Segmentation
For small and medium size organisations, a common challenge is that the corporate network itself is not secured through segregation and segmentation. This means it is open to attacks from everywhere within the organisation. When failures in cyber security hit the headlines - such as with Travelex and the NHS, where the systems were down for months and it costed them billions - the cause usually lay with this issue. For example, in the NHS, the WannaCry ransomware attack infected one system, but because the network was not securely segregated and segmented, it was able to spread and attack the entire network.
What if the organisation has an active network in production, how do you secure and segregate it without disrupting its functionality and affecting its operation? This highlights the importance of a holistic cyber strategy: a medium-term policy document (i.e. 3-5 years) will solve this issue, enabling the organisation to segregate the network in a phased manner, segment by segment, and reduce the risk of multiple breaches.
3. Not Actively Managing Users’ Access Rights
This is one of the most common mistakes that organisations make: not ensuring that their users have a correct set of access rights. Often users are given temporary privileged access for various reasons, which is then not revoked since there is no process for revisiting access rights, or else a user simply moves from one department to another internally and retains his previous access rights unchanged, alongside new access rights from the new department. Providing multiple access rights, some of which may no longer be required, or may even conflict in terms of segregation of duties, may lead to compromise of data, data loss, loss of integrity or sometimes even the infrastructure itself.
Thus, it is recommended that organisations follow the principle of ‘least user privilege’ i.e. giving a user account or process only those privileges which are essential to perform its intended function. This is coupled with recertification of user access rights on a periodic basis, especially for privileged users with high levels of access.
4. Not Providing Staff With Cyber Security Training
Another ‘weak spot’ within organisations which get the basics right is that they have not trained all their staff in cyber security. Robust and resilient information management and security processes, policies and infrastructure can be easily negated if users can be persuaded to aid external actors in the breach through giving away password credentials (‘phishing’), or accessing malicious links which may look genuine at first, or allowing malware to be installed via downloads. A single employee’s mistake can result in the entire network being compromised.
Another example is ‘social engineering’, where employees get a call from someone claiming to be from their own organisation’s IT department, or perhaps from another large trusted organisation, e.g. bank or government department. The caller asks the user to click on a link, to give out security information or give out passwords, which again can compromise the organisation’s data or infrastructure. This can easily be avoided by simple, timely cyber security awareness trainings and campaigns which educate users in simple responses to check the validity of these requests before complying.
Disgruntled employees are one of the weakest links in the security chain. They can download confidential information and leak it into the dark web, connect a rogue device which allows a malicious hack into the organisations network, amongst other things. Ensuring all staff are appropriately trained in cyber security is the right way to go, which may also sometimes help in whistleblowing activities – “Is that colleague really installing a printer, that’s odd?”.
5. Not Revisiting Exceptions
This happens when an organisation has identified a known security risk that they’ve deemed as an ‘exception’, for example, where certain IT functionality is required and business critical but would not work if security policies were fully implemented.
If these exceptions do not get revisited and reassessed on a regular basis, they could pose a threat. An example is a server not being patched for a certain vulnerability because it causes required functionality for a critical software application to stop working. If this exception never gets revisited to ensure that the functionality is still critically required, or even still exists, or if the security patch would no longer create an issue, then such exceptions can lead to larger compromises within the organisation if not revisited or secured properly on a timely basis, despite representing known vulnerabilities.
Coeus Consulting works with organisations at all stages of maturity around matters of strategy, cyber readiness, maturity and remediation. Our client engagements range from targeted assessments of 4 weeks, to programmes of work providing advice, guidance, oversight, organisational design and implementation roadmaps over longer periods.
Read more about our Cyber Security capabilities here.
If you would like to discuss your organisations Cyber Security Maturity, please get in touch.