THE BLOG
-
May 31, 2022Trust but Verify
The landscape of technology has changed drastically over the past two decades. Companies trying to do it all themselves is a thing of the past. SaaS, PaaS and IaaS are all the rage and organizations are adopting solutions to run many aspects of their businesses. With this evolution comes risk. Even as companies look to lessen their burden of onsite data and regulatory obligations by pushing them off to third party vendors, security remains a major concern.
Today, organizations must enter into relationships with trust, but not trust alone. Contracts are a must and verification of security practices is too. All too often, companies look past the security concerns assuming that if the software they are going to use is out in the marketplace, that it must be secure.
Unfortunately, there are many software companies that go to market without a clear security plan, and without the proper controls in place. It is imperative that organizations take the time to ask about security practices and obtain attestation letters stating the solution has been penetration tested appropriately. Also important is to receive concrete assurances that security protocols are being followed, delivering upon the regulatory needs of the company, and aligning to the risk appetite of the organization.
Be sure to look at new third party vendors and ask security questions ahead of signing the contract. Before a signature, the vendor is more likely to share information quickly as it is holding up the contract from being executed. Additionally, you can make decisions about moving forward without the legal trouble of undoing a contract if this information is requested early enough in the process.
If you decide to move forward despite security gaps, track the risk and follow up with the company periodically to see if the risks have been remediated. And if your third-party software vendor doesn’t have penetration test results feel free to send them our way.
-
Mar 31, 2022Human Firewalls Need Updates Too
Many organizations have rolled out multi-factor authentication (a must) and other controls to protect their networks. Email threat detection is deployed and URL rewriting in place. Investments are made in antivirus, EDR, and threat detection solutions; vulnerability scanners are used to scan for known risks. Even with all the layers, technologies cannot protect your organization fully. Your Human Firewall is critically important.
Your Human Firewall = your users. Education of users is usually considered, even implemented to a point. Once is not enough though! Even annually does not cut it anymore. Ongoing security education within emails, newsletters, team presentations, training, phishing simulations, and individual follow-ups are all part of a comprehensive program. Reinforcing the tools available for data protection, detailing social engineering scenarios and things to look for, and reiterating acceptable use policies should all be included.
Let's be honest, your users are busy. They are looking at emails quickly on cell phones and are not paying as close attention to security threats as you would like. Security it not always top-of-mind and needs to be reinforced as a regular part of everyone's role - NOT just annually when completing compliance training.
There are certainly lots of tools available for security awareness and phishing if you have the budget. If you don't, maybe consider allocating budget next year. But keep in mind that education can happen via tools you already own - emails, newsletters, PowerPoint slides, hand-outs, team meetings, etc. However you do it, just make sure you do it. You will be glad you did.