While IT security compliance starts with a strong IT foundation, it should comprise much more than an organization’s core IT systems and department. IT departments are just one group that uses a company’s IT systems, infrastructure, and applications. With this focus on technology, it is worth considering that the most overlooked success factor in delivering compliance IT security best practices is your people.
IT security compliance planning: The human element
Successful IT security compliance starts with a plan, and a plan isn’t complete without addressing the factor that incurs the most risk: humans. In 2019, IT resource misuse by employees caused 50% of security breaches, and human error caused 90% of breaches, according to a U.K. study.
Your people are also a cybercriminal’s prime target in an attack. For example, spear-phishing is on the rise as professional hackers learn how to target and dupe unsuspecting employees. No matter the security technology deployed in your organization, bad actors continue to target your employees to gain access to your network because it works.
Too often, companies focus strictly on technology as part of their security compliance strategy, which can create concerning blind spots. Failing to equip staff with the knowledge and resources they need to maintain appropriate security standards potentially exposes organizations to breaches caused by human error, sophisticated hacks, and a lack of preparedness. An IT security compliance plan with limited scope also fails to instill best practices after a breach, further allowing the fallout to compound and cause more severe consequences.
With so much at stake, how can businesses create a reliable and robust IT security compliance plan?
Start with the Basics
A comprehensive security compliance plan that extends beyond IT only works when founded upon strong IT compliance principles. Before delving into the “beyond-IT” considerations, it’s important to make sure the information technology elements in your security compliance plan are sound. Your plan should include (as a minimum) the following best practices:
- Change the name of the default administrator accounts. Hackers commonly target admin accounts, and account names like “admin” are not only predictable but more common than you might think.
- Enable user account lockouts after too many failed logins. Yes, it can be tedious for employees when they’re locked out of their accounts if they forgot a password. It can also create additional work for your helpdesk team. However, those issues are insignificant in comparison to your network being cryptolocked because cybercriminals were able to brute force guess an admin password with unlimited guesses. (They use scripts to automate this work.)
- Deploy cloud-based web filtering. Web filtering allows you to control the types of content and sites reachable from your network and devices. Cisco Umbrella, a popular choice for its robust and thorough security, has content-based filters covering more than 80 categories, millions of domains, and billions of web pages.
- Implement patches in a structured, timely manner. Failing to deploy updates and security patches regularly exposes your network to vulnerabilities that are easy for hackers to find and target. Do it regularly and in a structured, deliberate manner.
- Segment admin roles. If a user needs admin rights, create two profiles: an admin profile and a regular profile. This approach reduces the risk of the user being compromised by phishing and similar attacks while they do most of their work in the account with limited permissions.
- Implement air-gapped backups, isolated from the primary network. This is the process of physically moving a copy of your data to a remote location not connected to the internet.
These are just a few examples of security best practices. A comprehensive IT security plan should be much more detailed than this. If you’re unsure where your business’s IT security stands, you may consider establishing a baseline with a security awareness assessment.
Taking IT Security Compliance Beyond the IT Department
In the previous section, we explained that IT security is about more than technology alone. The two key elements are planning and training. Businesses need to look at their people and operations as a whole.
Incident response and business continuity planning, for example, should account for what’s unique in the business environment so that the response to and recovery after a security event or disaster is appropriate. What works for one business may not work for another. If you had a plan in place before the majority of your workforce started working remotely, make sure you update it to reflect remote or hybrid-remote contingencies.
All employees need regular education and training on standard best practices so that they’re able to respond appropriately to incidents when they do occur.
Security Awareness Training
We strongly believe that “defense wins championships,” which for businesses means training. Security awareness training helps employees understand how to recognize and respond to evolving threats. For example, employees should receive email security training to understand what email threats look like, what they should do when they receive a phishing email, and how they should report the suspected attack.
Additionally, security awareness training should also cover education around personal identifiable information (PII) and data privacy compliance. Employees should understand what constitutes PII, how to handle it securely, and how to recognize and respond to threats to it.
Lastly, establish corporate policies about storing personal identifiable information on corporate networks. In short, don’t.
Establish an Awareness Baseline
With security awareness training, the first step to success is to establish a measurable baseline of current awareness. This should take place before staff become aware they are being evaluated. As email is often the first line of defense against threats, a common form is a phishing simulation test.
Baseline results can often be startling and a real wake-up call for executives. In a 2020 survey, KnowBe4 found that 37% of untrained employees clicked a simulated phishing email link. In mid-size business services companies, that number jumped to 43.5%. Ninety days of training cut the average number of people who clicked the links by over 50%.
Many companies miss the baseline step, jumping straight to training when they realize there’s a gap in security awareness. However, without measuring that gap, businesses can’t measure progress or testing effectiveness.
How to Implement Training
Once businesses establish a baseline, they can measure progress as they begin training. Training and testing should be regular and scalable. Companies should be able to track progress, identify areas for remediation, schedule additional training, and scale training as needed. We recommend monthly or quarterly training for most companies.
Companies should have a tool in place that can facilitate and report on regular awareness testing and update training modules often to address emerging threats. Testing solutions should be scalable, readily adjustable, and report on results. KnowBe4 is a leading provider for security awareness training, offering engaging training modules (some are even formatted like dramas and sitcoms), which it can schedule automatically based on a schedule or remediation needs displayed in test scores.
Incident Response Training
Incident response training takes security awareness training further and includes the actions, communications, and protocols that occur after a breach for all employees. The entire organization (IT and non-IT) should be thoroughly prepared to respond to different breach types. Ask yourself these questions: if email or collaboration tools are compromised, does your leadership team have a way to contact employees?
Incident response training should be holistic and unique to the company’s setup and needs. It should establish the protocols and best practices for assessing and responding to security incidents.
Best Practices Training
While the response to threats and incidents is critical, businesses should train IT and non-IT employees on preventing incidents from occurring in the first place. This includes educating every employee about how IT compliance standards affect them and their department and instilling a broad understanding of the company’s security posture. For example, employees should understand which files should be stored in the cloud versus on company servers, the dangers of storing files locally, everyone’s role in a security incident (or even a physical disaster), data confidentiality practices when handling customer information, and other security best practices.
Often, this communication doesn’t occur early enough or at all. Instead, unaware employees invite threats through ignorance and subsequent failure to take precautions. That isn’t their fault: it’s an operational failure that can be avoided.
Remote and Hybrid-Remote Considerations
Now that a majority of businesses transitioned at least some of their operations and workforce to a remote or hybrid-remote environment, there are new and changing IT security compliance elements to consider.
- Unmonitored endpoints. Many businesses allowed employees to begin using their own devices to connect to the network to facilitate the transition to a remote or hybrid-remote environment. This should have been accompanied by endpoint use and tracking IT compliance policies to account for the new vulnerabilities they introduce; however, many businesses skipped this step. Make sure you can monitor all devices on your network. Use multi-factor authentication on all applications.
- Remote education. Some companies have a tendency to deprioritize education when their workforce is disparate. However, remote employees work under less supervision and are more susceptible to attack. Security awareness training is even more important for remote and hybrid-remote employees.
- Security tailored to the new environment. Many companies assume their users have the same security in place when they’re working remotely, but that’s not always the case. Businesses need IT security compliance plans that account for the new environment, from the latest methods of connecting to the network to altered communication protocols in incident response and business continuity plans.
- Post-remote compliance check. If your business didn’t check its security compliance after going remote, it should do so as soon as possible. Remote environments aren’t exact replicas of their in-office ones. Employees are connected to consumer-grade routers and WiFi at home, they’re often connecting to corporate networks on personal devices, and family members using an employee’s work computer can unintentionally introduce malware.
How to find an MSP that understands security compliance
An area where many managed service providers fall short is that their approach to IT security is one dimensional and therefore increases the risk of being exposed to vulnerabilities. MSPs that don’t address security beyond hardware and software don’t understand the modern threat landscape.
The right MSP helps their clients approach security compliance holistically, helping with incident response planning, security awareness training, business continuity planning and education, and other areas that extend beyond traditional IT security. Ensure your services provider maintains close partnerships with a wide array of recognized vendors, such as Cisco and KnowBe4, and be sure they provide you with the solutions that make sense for your business, not just what makes them money.
If you’d like to learn more about IT security compliance, our team is available for a complimentary consultation. Learn more on our Security Compliance Solutions page.