As a CISO, your cyber security strategy plan drives data protection for the organization across every aspect of business processes including new hires and onboarding. It’s not uncommon for an organization to have an HR step where the hiring manager requests network account credentials and permissions for a new employee. Without the right procedures in place, hiring managers could ask for extensive permissions and violate the principle of least privilege. High-privilege accounts should be given with caution including virtual and physical access. With the right strategy plan in place, a CISO can maintain hardened cyber security compliance and still offer managers a smooth onboarding transition.
Phishing User Credentials is Big Business for Hackers
In last year’s Verizon Data Breach Investigations Report, a survey found that the second most common type of attack resulting in data disclosure was phishing. In this same report, 33% of attacks were from social engineering and 28% involved malware. These numbers are alarmingly high especially when more and more organizations store several data points on customers including financials, contact information and passwords. For many attacks, the goals are financial for an attacker, so they use phishing to gain access to accounts that provide permissions to sensitive data. High-privileged accounts are an attacker’s main target as these accounts can be leveraged for massive exfiltration of valuable data.
To avoid unnecessary privileges and thwart potential phishing attacks, a CISO’s cyber security strategy plan should include an onboarding checklist that ensures tightened protocols for a new hire’s network access. The following isn’t an exhaustive list, but this checklist has several questions that could be useful when determining an onboard permission process:
- What department will the employee be working for?
- What network resources does the employee need to access to perform their job functions?
- Who is the employee’s direct manager?
- Are extended privileges needed and for what job function?
- Is physical access to any resource necessary?
- If the hire is a transfer, what resources from the old position are no longer needed?
The last question involves onboarding an already existing employee transferring to a new position. Privilege accumulation is another real issue for organizations. If your cyber security strategy does not include revoking privileges when an employee transfers, the accumulated permissions can be used by attackers to make lateral moves across the network. Some CISOs perform regular reviews of user permissions to identify any unnecessary privileges that must be revoked to ensure this issue doesn’t happen.
Another challenge for CISOs is how frequent users should change their passwords. It’s widely considered an unnecessary and a dying concept to require mandatory password changes. Keyloggers can be used to capture password changes and identify user behavior patterns to figure out passwords even after they’ve been changed. Password expiration rules will also need to be determined during onboarding strategy planning.
Guidelines and Security Frameworks for New CISOs
A new CISO might be great at risk assessment7 but knowing the right guidelines and frameworks can be more of a challenge for someone who is unfamiliar with guiding businesses at the CISO level. To get started, the CIO and CISO Councils created a CISO Handbook that lays out the best standards and approach towards cyber regulations. The CISO handbook covers one of the most important frameworks for CISOs – NIST (National Institute of Standards and Technology) from the US Department of Commerce.
The NIST framework covers a roadmap for CISOs to get started with cybersecurity development and collaboration. Following the NIST framework will keep organizations aligned with PCI-DSS, HIPAA, and FISMA (to name a few of the most prominent). These regulatory guidelines control the way businesses protect data especially within a specific industry, but the NIST framework covers general guidelines that will protect the business as a whole.
Some other frameworks that a CISO should be familiar with include:
- ISO/IEC 27000 family – an international framework for managing security systems.
- SOC 2 – security standards that oversee data stored in the cloud.
- CIS v7 – general guidelines and standards for development of baseline security standards.
- COBIT – a framework for production performance that works well with cybersecurity.
- FedRAMP – standards specifically for government agencies.
Bringing an Organization into Current-Year Cyber Security Strategies
It’s not always easy changing cyber security protocols within an existing organization. A new CISO could have work cut out for him. One goal that should be communicated to the organization is that short-term convenience will be replaced with long-term cyber security protection that reduces risk of a massive data breach.
In addition to cyber security strategies, the CISO can launch training programs to empower users so that they can identify phishing and social engineering warning signs. User train has shown to reduce click-through rates from phishing email links from 25% in 2012 to 3% in 2018, so it can be a critical component of a strong onboarding strategy.
User onboard protocols, password policies and training should all be a part of a CISO’s cyber security strategy plan. CISOs should be tightly engrained in every user access request by standardizing an organization’s user account creation, management and deactivation procedures. In addition, user training familiarizes users with the pitfalls of phishing and social engineering and helps them recognize an attack. As challenging as it can be to get an organization on board with these protocols, a good CISO can explain the need for these steps to increase data protection and reduce risks that can cost millions in damages.