Tackling common misconceptions about enterprise security
Proper cyber hygiene is a desirable but sometimes elusive practice for many organizations. And it can be hard to separate fact vs. fiction. Read on as Miguel Sian, Merlin’s Director of Solutions Architecture and Engineering, busts a handful of security posture myths.
Most organizations would agree that proper cyber hygiene is essential for maintaining their cybersecurity posture. Each will also likely affirm that they practice good cyber hygiene; yet, we find that many have considerable blind spots. We’ll shine a light on these blind spots by exposing five of the biggest myths about cyber hygiene.
First, a primer. What is cyber hygiene? The CERT Resilience Management Model (CERT-RMM) defines cyber hygiene as a set of practices for effectively managing the most common and pervasive risks to the organization. The Center for Internet Security (CIS) defines cyber hygiene as a set of baseline cybersecurity protections that help to secure an organization. Fundamentally, cyber hygiene involves the strategies and activities that ensure your enterprise IT security is in tip-top shape (health) and protecting your organization from threats (prevention).
Proper cyber hygiene spans people, process, and technology. It starts with having complete visibility of all your assets, followed by effective security tools and processes to identify, detect, and protect your assets against threats. Last but not least, you must implement effective access management. With this as the backdrop, let’s quash five common myths about cyber hygiene.
“We have several management tools (i.e., NAC, SCCM) and a CMDB that ensure we know precisely what’s on our network.”
How many CISOs honestly believe that they have a truly accurate count of their hardware and software assets? Just one glance at two systems management tools (vulnerability management and Active Directory) would likely reveal a discrepancy of the total number of computer accounts in your enterprise. Furthermore, increasing cloud adoption and remote work can undermine what you believe might be on your network.
“My users and endpoints are adequately protected with endpoint security tools such as anti-virus and EDR, along with policies we’ve implemented to protect our devices.”
Anti-virus and endpoint detection and response (EDR) solutions have long been good practices for endpoint hygiene, but they are no longer enough. New, emerging threats in the hardware layer – on mice, keyboards, webcams, switches – can go undetected by these endpoint security solutions. Furthermore, attacks on the supply chain compound the risks from these emerging threats.
“We have security tools and processes established for configuration management, patch management, and vulnerability management that ensure our basic security hygiene.”
Organizations often overlook and fail to adequately monitor the tools themselves and processes that ensure these basic security hygiene tasks. This is likely a result of lacking a central place to monitor the configuration and effectiveness of all their enterprise tools. Furthermore, organizations typically can’t relate these security challenges to overall business impact. For a complete picture of cyber hygiene, it’s important to know the tools’ security posture and effectiveness in meeting the organization’s security controls, and how they protect the applications that deliver on the business outcomes.
“Our annual compliance audits against industry security frameworks provide adequate security and communications for our stakeholders.”
Regular audits are essential and frameworks such as NIST CSF provide a comprehensive set of security guidance. Yet, we’ve found that organizations are unable to continuously monitor their most critical security controls. As a result, organizations are unable to prioritize what’s truly important nor effectively communicate the risks across the enterprise.
“We have controls that ensure proper access management.”
If this is true, we should not be seeing an increase in data breaches since a majority start with privilege credential abuse. Organizations must take a comprehensive approach to access management. There are silos of identity sources and disparate identity management tools in the enterprise. This makes securing access across the enterprise challenging. It’s critical to establish visibility, then monitor the security controls for access to critical systems.
It’s time to take a strategic approach to cyber hygiene. With today’s rapidly shifting situation in IT and business, risks and uncertainties abound. A renewed focus on the basic fundamentals of cyber hygiene provides us with the key principles and foundation needed to establish a comprehensive cybersecurity posture for our enterprise.