When it comes to having a strong security posture, a "set-it-and-forget-it" mentality is exactly what you want to avoid. Having the best possible approach to security requires research, ongoing monitoring, maintenance, frequent updating, and flexibility in pursuing new solutions if they become necessary.
In a recent Wired article, the possible pitfalls of multifactor authentication (MFA) methodologies were described. In spite of the benefits, even MFA is not impervious to the evolving work of cyber criminals. As detailed in the article, "MFA ensures they must also use an additional factor—be it a fingerprint, physical security key, or one-time password—before they can access an account … some forms of MFA are stronger than others, and recent events show that these weaker forms aren't much of a hurdle for some hackers to clear."1
In this instance, the human element is being preyed upon to trick the user into accidentally providing access by sending multiple push prompt or one-time password notifications. While MFA remains an essential security practice, this threat demonstrates that even our best efforts are not perfect—furthermore, it underscores the need to periodically assess the efficacy and appropriateness of organizational security strategies.
A frequently overlooked aspect of our security practices and policies is physical security, especially as it relates to remote-work environments. Depending on the size and needs of a given organization, physical security requirements may vary substantially. Throughout the COVID pandemic, many changes were made in how and where we work. As things have begun to normalize, many organizations now have a combination of in-office employees and those working remotely. This is often even more pronounced during the summer months as people are out of the office for travel and vacations.
Regularly assess physical security needs and the "real-life" application of how measures are implemented. Employees should be trained in how to best protect company property and data—whether digital or physical—both inside and outside of the physical office. It is critical to standardize and enforce simple measures such as encryption, screen locking, and virtual private network (VPN) use. It is also important that all employees know how and when to report security incidents, including stolen devices.
Speaking of stolen devices, access control policies (and the ways in which they are enforced) should be assessed periodically. In particular, access controls are important to remember when employees leave an organization. Ensure that termination procedures include how company devices, such as laptops, are properly retrieved. It is often the case that former employees will leave with company property and/or administration credentials, and this is only realized much later.
Upon termination, former employees should no longer be able to access company data or devices. Reviewing access controls also extends outside of an organization to third-party vendors. Periodically assessing who can access your data, and for what purpose, helps in managing risk.
In addition to proactively trying to limit risk, incident response and business continuity plans prepare an organization for the worst. Even the simplest errors in these plans can have a detrimental impact on a company's immediate ability to respond to a cyber threat when it arises. As an organization evolves and grows, so too should these plans.
Review incident response procedures for accuracy, including information pertaining to communication channels, job roles, key stakeholders (such as subject matter experts), assets, and processes. Routinely updating—and practicing—these plans allows for a more controlled "real-life" response. Efficient incident response is critical for mitigation.
From incident response procedures to MFA methods to remote-work policies, there is always room for improvement of security measures. Some of the things that we take for granted as best practices may also need updating now and again. As organizations more commonly adopt a hybrid approach to working environments, employees are even more responsible for maintaining their individual security postures. Incident response and business continuity plans are most effective when well-practiced and frequent review of written procedures helps unearth any weaknesses. No single security measure is perfect, and the strongest security cultures are those that are consistently looking to improve.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.