Let’s make a quick distinction: maintaining PCI DSS compliance isn’t the same as maintaining the...
Why IT Security Best Practices Still Get Overlooked - And How to Fix It
During the past 25 years or so, the internet has evolved to become one of the most predominant vehicles supporting the endeavors of global commerce, government organizations, and academic institutions, to name a few. And like sharks following the scent of blood in the water, cybercriminals seeking financial profit or other mischief have evolved to develop highly sophisticated and cunning methods to extract valuable information from organizations with IT security policies not formulated with industry best practices in mind.
IT best practices can be loosely defined as any implementable procedures or policies that optimize efficiency and effectiveness of the organization while lessening vulnerability to cyberattacks.
Companies still struggling to implement hardened IT best practices into their organizational roadmaps are finding that it is costing them dearly.
According to a 2017 cybercrime study conducted by the Ponemon Institute and Accenture, the average number of security breaches per company now stands at 130―an increase of over 27 percent from the previous year―and costing highly-targeted industries like financial services, utilities, and energy an average of more than $17 million.
Further, it can be assumed there will always be potentially serious flaws and bugs in any new software application or operating system. The Center for Internet Security issued no less than three major advisories during the month of January 2018 alone regarding vulnerabilities in apps running PHP programming language, Google Android OS, and Microsoft software and operating systems.
Why are IT security best practices still being overlooked?
There are several reasons ranging from antiquated cybersecurity postures (in which the organization believes it will not be affected by a serious breach), inadequate IT resources, failure to apply software patches in a timely manner, and lack of security awareness training.
But perhaps the biggest reason why IT security best practices are still being overlooked is that IT managers have been guided by the mantra of “trust but verify” regarding their network security frameworks.
Today, that policy is regarded as antiquated and risky, especially given the adoption of mobile technology which tends to be more susceptible to security breaches.
What can be done to fix a clearly ineffective and broken cybersecurity model?
The new, recommended IT best practices posture is “Zero Trust”―in other words, verify and trust no one.
Cambridge, Massachusetts-based research and advisory firm Forrester proposed a Zero Trust model based on the following concepts:
All accessible resources must be secured regardless of location.
Assume that all traffic internal and external is a threat until it can be determined the traffic is secured and is encrypted using Transparent Data Encryption (TDE) and Transport Layer Security (TLS). This policy is meant to lock down the network against both internal and external threats, which are increasingly becoming more common.
Adopt a tiered privilege strategy that strictly enforces access control.
Deter human temptation to access restricted resources by implementing role-based access control (RBAC) policies. Do not assume that users have rights to access all areas of the system. Another good policy to adopt is multi-factor authentication―a method of granting user access only after several pieces of identity evidence are presented.Inspect and log ALL traffic.
Many IT professionals log traffic, but in a passive manner. Zero Trust mandates all network traffic be monitored in real time in an unobtrusive manner. This may involve adopting and implementing network analysis and visibility (NAV) tools which inspect and analyze user behavior, packet capture, and network traffic patterns.
Build a Zero Trust network architecture.
In order for IT best practices to really be effective at shutting down bad actors and their criminal activities, a whole new approach toward building networks from the inside out has to be adopted. The network has to be designed with Zero Trust concepts in mind.
Key concepts for building a Zero Trust network architecture include:
- Build a security and compliance-friendly network that is segmented by default
- Adopt multiple parallelized switching cores similar to how laptops distribute processing with the OS providing centralized management
- Manage from a central console to better control traffic of all networking elements
Today’s cybersecurity landscape is almost comparable to viewing a modern battlespace involving many components of operation and more complexity. There simply is no way of going back to the days of hoping a security breach will pass you by.
Overlooking IT best practices like Zero Trust will most likely be a costly mistake.
While some best practices like rebuilding network architecture may involve significant financial resources to implement, others like enforcing access control and paying more attention to real-time logging of traffic are more of a cybersecurity mindset and easier to implement.
When your organization adopts IT best practices like Zero Trust and rethinks how your network is structured to fend off cyberattacks, you’ll be in a better position to prevent unauthorized use and theft of company data and prevent or limit serious financial losses.