Perhaps the most neglected element of security is simply network and device hygiene. While new, innovative threats continue to pop up on almost daily, our latest Global Threat Landscape Report reveals that long known and yet still unpatched vulnerabilities continue to serve as the primary gateway for attacks, with organizations reporting an average of 274 attacks per firm – a 82% increase over the previous quarter. This alarming trend emphasizes that while remaining vigilant for new threats and vulnerabilities in the wild is critical, organizations also need to stay focused on what is happening within their own environment.
The challenge is that while we all know that good cyber hygiene is a fundamental best practice, it can be hard to prioritize. It’s just one example of the sorts of things that IT teams need to track every day on top of whatever digital transformation projects are capitalizing their time and resources. To complicate things further, vertical markets each have their own unique risk and compliance concerns, which means there is no quick, universal answer to the challenge of how to keep your network secure.
From kindergarten to universities, educational networks generally need to be open for their technology to be most effective. Students and teachers not only need to connect their devices to the network using a variety of endpoints, many of which are personally owned, but peer-to-peer networks – which are notoriously vulnerable – are also regularly used. And often, the population of preteens, adolescents, and young adults that use these networks spend a significantly greater amount of time and energy pushing against network limitations and restrictions than any group of users in any other vertical.
While school networks are becoming more open, and more devices than ever require access, administrators are also contending with budget and personnel limitations. These challenges make it difficult to build teams with the IT infrastructure and cybersecurity skillsets these networks demand.
That’s just the start. Not only must educational institutions have the technical and strategic capabilities in place to mitigate such threats, but they have the added burden of also ensuring they are in compliance with such regulations as the Children’s Internet Protection Act (CIPA), the Family Educational Rights and Privacy Act (FERPA), and even the Health Insurance Portability and Accountability Act (HIPAA).
The healthcare sector has been capitalizing on digital advancements to improve overall patient experiences and outcomes through the adoption of electronic health records (EHRs), the increased use of medical applications, online patient portals, connected medical devices and wearables, and long-distance consulting between physicians and experts across the globe.
However, interconnected networks and devices also introduce increased cyber risks in an environment where downtime can actually put lives at risk. Security measures are essential to preserve patient privacy, meet HIPAA compliance standards, and protect critical infrastructure.
The new Internet of Medical Things (IoMT) poses an especially significant challenge. These devices, along with the web applications patients use to interact with them, are often programmed to access classified information stored on hospital networks. Too often, these IoMT devices are not built with security as a primary consideration, which makes them an attractive entryway into healthcare networks for cybercriminals.
At the same time, healthcare professionals, especially physicians, often insist on connecting their own devices to the hospital network. These devices are also usually connected to their own clinics or offices, as well as their personal lives. As a result, network security protocols need to deal with an increased number of uncontrolled endpoints and the associated volume of data requests to ensure that critical data and information remains secured.
Over the past couple of years, the highly valuable data that healthcare organizations contain have made them an increasing target for cybercriminals and the growing sophistication of the cyberattacks they have developed. For example, over the past two years we have seen a drastic increase in the number and severity of ransomware attacks carried out against healthcare providers.
With GDPR taking effect in May of 2018, and similar far-reaching legislation pending, failure to meet privacy regulations and security compliance standards brings an entirely new level of financial penalties and associated reputational risk. This means that not only will a security breach damage the digital trust that you have built with your customers, employees, investors and other stakeholders, but the resulting financial penalties have real teeth, potentially adding millions to the already steep cost of a cyber event.
This is part of a global trend towards legislation that requires the financial industry to step up its security game. Last June, for example, China’s new Cybersecurity Law went into effect. The Chinese government intends to use this law to better align with industry and global cybersecurity standards by placing additional requirements on network and system security for critical infrastructure. This law will directly impact the financial services sector as it has been designated as a critical information infrastructure.
A new Cybersecurity Bill was also drafted by Singapore’s Cyber Security Agency in July 2017. It contains potential regulations that specifically affect banking institutions. The Cyber Security Agency in Singapore wants greater visibility and authority into how data is used, processed and stored, and this bill would require CIIs such as financial services to report any cyber incidents to the Commissioner of Cybersecurity, along with details around any modifications to their system design or security.
Conducting a Cyber Threat Assessment
For many organizations, getting a handle on these unique security challenges and compliance requirements is beyond the scope, resources, or skills of their security team. Often, even getting started is hard because, as the old adage goes, you don’t know what you don’t know. Which is why a good place to start is with a cyber threat assessment that evaluates network security protocols and policies, measures things like application usage and network performance, and assesses access controls and methods, device onboarding, and incident response. This information provides IT teams with a baseline of their current state that can be used to measure their desired state against. This will not only help them discover gaps in their security, but also identify where they should focus on best practices or deploying more integrated frameworks and solutions.
Best practices start with an inventory of systems, applications, endpoints, and user access controls, along with identifying the critical role each of those elements plays on the network. IT teams then need to look at the network holistically, including remote offices, cloud-based services, and multi-cloud infrastructures. This process provides IT teams with clarity into every technology asset operating within their network, along with deep visibility into vulnerable applications, processes, and protocols, including which applications and application vulnerabilities are putting the network at risk, what malware or botnets exist in the environment, and which devices require patching, replacing, or specialized protections.
Due to the sensitive and highly valuable data they hold, educational institutions, healthcare organizations, and financial services firms are among the most-often targeted verticals. And with targeted attacks growing in both volume and sophistication, these industries have a mandate to prioritize security, practice good hygiene, and determine and respond to risk. Risk assessments that pay special attention to your vertical’s specific threats will help you in the battle to combat today’s expanding threat environment and prioritize the next steps.
This byline originally appeared in CSO.
For more information, download our paper and learn about the top threats that enterprise security leaders are being forced to address and the security approaches to evalutate to protect against them.