How's your cybersecurity posture? Answer these 5 crucial security questions
Nearly 70 percent of board members from the largest U.K firms reportedly have received no training to deal with cyber incidents, and 10 percent don’t have a cyber-response plan, according to a report from the U.K. National Cyber Security Centre.
Those numbers are noticeably poor even in comparison to the U.S. healthcare system where less than half of IT professionals feel confident in their organization’s overall level of cybersecurity.
It’s well known that an organization’s cybersecurity posture needs to start in the boardroom to build a cybersecurity posture that can be translated all the way down to clinicians. As insiders overwhelmingly cause the most breaches, those boardroom conversations are crucial.
“Cybersecurity is now a mainstream business risk," said Ciaran Martin, chief executive of the NCSC at the recent annual CBI Cyber Security: Business Insight Conference 2018. “So corporate leaders need to understand what threats are out there and the most effective ways of managing the risks.”
“But to have the plain English, business-focused discussions at board level, board members need to get a little bit technical,” he continued. “They need to understand cyber risk in the same way they understand financial risk, or health and safety risk.”
To fuel those conversations, NCSC created a list of the five most important questions boardrooms need to be able to answer to better understand the risks and areas where their organization needs to improve.
How are we stopping phishing attempts?
According to NCSC, organizations need to be able to confidently answer that they’re not only filtering and blocking incoming phishing emails, but they’re also marking external emails as external.
That simple notation can help staff quickly identify an email isn’t coming from within an organization. As targeted phishing attacks have increased 10-fold on the healthcare sector in 2018 with SamSam and the new Ryuk variant -- that label can increase defense against these attacks.
NCSC also said that organizations need to make sure they’re stopping spoofing emails, which appear to be sent from reputable organizations. Organizations should be using DMARC, Sender Policy Framework and Domain-Keys Identified Mail controls to better filter malicious emails.
Further, organizations need to support staff through education, so they can easily identify malicious emails and be trained not to click.
As it’s impossible to stop all attacks, organizations also need to limit the impact of a phishing attack by using a proxy server that stops access to known malicious sites.
NCSC also recommends the use of two-factor authentication. And perhaps more crucial, organizations need to both have and rehearse incident response plans.
How are privileged accounts handled?
It goes without saying at this point that everyone on staff doesn’t need access to everything on a network.
“Granting elevated system privileges should be carefully controlled and managed, a policy often referred to as ‘least privilege,’” NCSC stated. “This principle of least privilege should be assessed as staff leave, join and move departments.”
The correct answer to handling privileged accounts is that staff are set at least privileged as a default, according to NCSC. And when high privilege is granted, those accounts must be controlled and monitored to ensure those staff aren’t checking their email or browsing the web from those accounts.
And lastly, the human resources department needs to be part of the IT account function to make sure accounts don’t remain active when an employee leaves.
How are software patches applied?
It’s well-known that patching is crucial for securing a lot of vulnerabilities, but often those software updates aren’t routinely applied. For NCSC, organizations need to be able to confidently state that they have the policies in place to identity, triage and fix those flaws.
Those policies won’t likely be “patch everything right away,” but there needs to be mitigation steps and routine audits to ensure those procedures are being followed. NCSC also recommends organizations have an end of life plan for legacy devices no longer supported.
When those options aren’t possible, organizations need a solid architecture in place able to minimize the extent of an attack if those devices are breached. And if an organization struggles to build and maintain its infrastructure, those leaders need to lean on third-party or cloud services to bolster their networks.
Are our third-party vendors secure?
Especially in the healthcare sector, nearly every organization shares data between its partners and suppliers. Organizations need to be able to ensure those business associates have policies and structures in place in line with their own policies.
When establishing a data sharing connection, NCSC said organizations need to build security into the contract and not just blindly trust their partner will follow those rules. They must be checked and audited.
NCSC also reminded organizations that even with agreements, they need to assume their partners will be compromised at some point. To combat this, organizations need to limit services exposed and data exchanged, while ensuring user and system authentication before granting access.
How do we control access?
By now, it’s common knowledge that the use of passwords alone aren’t enough to stop hackers. The more secure organizations have measures in place to support both sensible passwords with employees, but also ensures the use doesn’t burden staff.
But to NCSC, and to many healthcare leaders, two-factor authentication needs to be in place when possible.
“Setting up 2FA is the single most useful thing that you can do to protect important accounts and where possible, should be rolled out to staff and customer accounts,” according to NCSC.
“There is no such thing as a foolish question in cyber security,” said Martin. “The foolish act is walking away without understanding the answer because that means you don’t understand how you’re handling this core business risk.”
Healthcare Security Forum
The Boston forum to focus on business-critical information healthcare security pros need Oct. 15-16.