With 2023 quickly approaching, now is a good time to reflect on proactive steps your organization can take to strengthen its security and compliance posture. As ransomware and data breaches continue to escalate globally, the cost to your organization can be catastrophic. To defend your organization from a cyber-attack, we’ve compiled a list of eight actionable measures to integrate in your IT security and compliance programs.
- Incident Response Planning and Tabletop Exercises
Ransomware and data breaches continue to advance every year, and 2023 is no exception. Ensuring your team can respond quickly and efficiently in the event of a breach or compromise is critical. Plan for a Phase 1 tabletop exercise with your information technology/security teams this year and then look ahead to a Phase 2 exercise involving campus leadership, communications, legal, public safety, and technical teams.
- Compliance and Risk Assessments
If you haven’t engaged in a third-party/external assessment in a few years, now is a good time to have one performed. Regarding PCI compliance (with PCI DSS v4.0), planning for an assessment to identify any potential gaps in compliance to the new version will be critical. An assessment now will also help you plan ahead and budget accordingly for any new equipment or resources that may be needed to meet the March 2024 deadline. Similarly, with GLBA and the updated FTC Safeguards Rule, the extension to June 9, 2023, may have allowed you more time, but not a lot. A comprehensive assessment can identify any immediate risks or areas of non-compliance and enable a more concrete plan and timeline in place for remediation.
- Penetration Testing/Web Application Testing
Is your organization conducting annual network penetration tests? Depending on available resources and funding, you may need to plan for focused testing and determine higher priority targets or systems. Or plan for an external penetration test this year and expand funding to include internal penetration testing the following year. With hackers continuing to target and expose web applications online, you may also want to consider authenticated web application testing. This helps to impede malicious actors who gain access to an application from compromising critical information through escalated privileges or other means.
- Social Engineering Defense
The most advanced technology cannot prevent all incidents—especially those caused by human errors. Statistics continue to indicate that a lack of awareness among employees is the biggest risk facing information security today. Social engineering, an attack targeting people, continues to be one of the most successful techniques criminals use to gain access to sensitive data. Even as many organizations have taken steps to implement multi-factor authentication (MFA), attackers can still find ways to bypass these controls through misconfigurations or social engineering. Attackers can send unsolicited push notifications that users may blindly accept, or they may attempt to vish help desk personnel by pretending to be an authorized user to request MFA bypass codes. Consider including MFA Implementation testing as part of your next external penetration test to ensure your staff and controls can pass the test.
- Awareness Training
We often recommend organizations structure compliance training around annual or ongoing compliance cycles. For example, you can kick off your PCI training to merchants prior to the annual launch of your Self-Assessment Questionnaires (SAQ). It may also be beneficial to consider ongoing information security awareness training in smaller, bite-sized course modules vs. annual training to help improve overall engagement, awareness, and retention.
- Procedures for Remote Workers
Hybrid and remote work environments are here to stay, so now is the time to formalize some of the practices you may have put in place during the dramatic shift to remote working with COVID-19. Review business practices and evaluate policies for remote workers. Do you have approved devices that can be taken home (i.e., laptops, payment card terminals, etc.)? When working remotely, how should employees be accessing organizational resources? If a remote employee’s workstation is hacked or ransomware is downloaded, is the security team able to quickly access and limit the potential compromise? Have all employees read your acceptable usage policy and does it cover usage of devices at home and home networks? Providing hybrid or remote staff with training for protecting their home networks and devices is also important.
- Comprehensive Policy/IT Standards Review
When is the last time your overall policies and standards library was updated? With risks and technologies evolving so rapidly, recent changes to federal standards and requirements, and an increase in requirements for cyber insurance, it is important for your standards and policies to stay relevant and evolve as well. Consider planning for a revamp of your policy library and engaging key stakeholders to provide feedback on content, structure, and enforcement. From there, the organization can establish a regular schedule for policy review to evaluate overall effectiveness and make small adjustments as necessary.
- Third Party Vendor Management
According to IBM’s 2022 Cost of a Data Breach Report, 20 percent of breaches were caused by compromised third-party vendors. Due to the complexity of these events, the average cost rises from $4.34 million to $4.46 million. Though there is no silver bullet to preventing third-party breaches, properly vetting vendors initially through a risk assessment, understanding what responsibilities your organization retains, and having a program to monitor third-party compliance on an ongoing basis should be key components of your overall security program. Not only must you maintain a current list of service providers, but you should also have an agreement in place in which they acknowledge their responsibility for the security of the data they possess, or otherwise store, process, or transmit, on your behalf.
Incorporating these actions into your IT security and compliance programs will help safeguard your organization from cyber-attacks. Not sure how to execute some of these efforts? CampusGuard’s dedicated teams can help your organization implement these and other IT security and compliance services. To get started, contact us for more information!