Author: Robert Broxup

Security Awareness as a first line of defence

Robert Broxup

Essential security awareness points include:

  • Evolve and establish a security-centric working culture. People are often your weakest link but become your greatest strength with an effective security awareness programme in place.
  • Empower employees to avoid, prevent and report security incidents. Human error is a leading cause of data breaches. Security awareness allows employees to feel confident about their involvement with data and compliance with corporate policies.
  • Write and implement security policies. Implementing policies, establishing working practices, and implementation software to support compliance will help mitigate identified risks. Security awareness training will reinforce the policies.
  • Protect corporate assets and reputation. Loss from security breaches can be far more than data and financial; reputational damage could quickly result in a significant loss of clientele which in some cases could mean the end of the business.
  • Reduce and prevent service downtime and expended investigative and repair effort. Recovering from cyber attacks can be costly, such as needing all hands on deck to get back up and running, losing orders while services are offline, cost of external help and severe disruption to business as usual activities.
  • Implement proactive security practices. Learning about specific risks will help you evolve from a culture of reacting and recovering from attacks to preventing attacks through increased vigilance.
  • Encourage the reporting of observed security risks. With an increased awareness of risk, employees become a valuable source of intelligence and insight throughout the business.
  • Reduce threats and risks by continuously expanding security awareness. Continous training as the threat landscape changes is essential for users to recognise and avoid attacks.

Implementing Risk Management

Robert Broxup

Key Risk Management points include:

  • Identify and manage risk within your business. Encourage your workforce to report threats to your company and maintain the details in one or more risk registers. Audit critical systems and identify compensating control requirements.
  • Evaluate risks in terms of probability and severity. An assessment will allow you to take a risk-based approach to determine the priorities and allocation of financial and human resources to improve your security posture.
  • Decide on the approach to treat identified risks. Reduce the overall risk by reducing the likelihood of an event, reducing the impact, removing the source, or sharing the risk with other parties. If mitigation costs are disproportionate to an event’s consequences, risk acceptance is a viable option for consideration.
  • Mitigate risks with tactical remediation and strategic solutions. Identifying risks and fixing current problems is only part of the solution; it is crucial to have robust systems, policies, and procedures to prevent history from repeating itself during ongoing business as usual activities. Fixing backwards and forwards is essential.
  • Implement governance throughout the business. Establish risk committees in multiple areas of the organisation to discuss the most critical threats, the action plans, stakeholder management, and a robust framework for reporting risks to the directors and board members.

Governing Hardware Assets

Robert Broxup

Essential Hardware Asset Management (HAM) points include:

  • Maintain an accurate inventory of hardware. Having a definitive list of hardware assets belonging to your business will allow you to identify rogue devices connected to the network quickly.
  • Identify new assets connected to the network. Capturing data about new assets helps maintain an accurate inventory and helps identify rogue devices.
  • Maintain ownership and responsibility records for portable hardware assets, including tablets, laptops and mobile telephones.
  • Choose the right hardware asset management product to fit your environment. Ensure that the solution works within your technology ecosystem rather than falling into the trap of purchasing and installing a new platform and technologies.
  • Maintain accurate asset valuations for account purposes. An up to date asset register with purchasing information will allow you to generate a current valuation reporting factoring in asset disposal and depreciation. Quickly identify candidates for any hardware refresh projects.
  • Maintain an active support database. Accurate information about each hardware asset, including software installations, will support any troubleshooting activities.

3rd Party Credentials

Robert Broxup

Storing login credentials within 3rd party apps can introduce significant security risks. I recently tested an application to determine its usefulness and fitness for purpose. As with several other applications experimented with over the years, this one included the option to integrate directly with other systems; in this case, one of the social media platforms. In the settings, a configuration option was available to add the user name and password so that the application could connect to access data directly. A couple of examples include:

  • Banking applications which allow connections to several bank accounts where data is collected from multiple sources to create a financial dashboard
  • Apps that connect to file storage systems, such as to catalogue songs and create playlists

These tools offer useful functionality, but there are security implications with this concept. Firstly, let’s not confuse this with single-sign-on (SSO) capability. Many websites and applications integrate with Facebook and Google for login purposes, but when signing in with Facebook or Google, the apps don’t have direct access to the login credentials. The quantity of data shared through this process has been controversial and has drawn vast media attention.  However, the focus here is on cases where applications ask for login credentials to be entered and stored for subsequent use, and where the application has direct access to the credentials. Essentially, this is permitting the application to access other systems and by extension, consequently, potentially giving human access to those systems.

How do you know what these applications are going to do with your login credentials? The logon credentials could be stored securely, but could just as easily find themselves held in plain text in a database with little or no security. Applications can easily be custom made to offer something useful to the target audience, with the hidden agenda of capturing user credentials given willingly by their users.

Banking organisations and social media platforms invent significant resources to improve security. It doesn’t make sense to use them with apps that may have been developed by a small business or one person with minimal resources and information security capability.

Here are some options to reduce the risks:

  • Don’t give 3rd party user credentials to apps, websites or other services
  • Exercise vendor and application due diligence before adding 3rd party user credentials
  • If 3rd party application integration is essential, consider creating a dedicated account to use. Depending on the purpose, this may or may not be a viable option.

It is best practice never to share your username and password with anyone. Sharing your usernames and passwords with 3rd party applications can have the same or worse consequences.