Top Security Policy Tweaks and Tips for 2019

Companies turn to MSSPs to manage more than just the technology. They look for consultants to help improve their security policies too.

The demand for such help is on the rise as companies struggle to keep up with an ever-growing and changing attack surface. To help you make a checklist of security policy improvements, here are tips and tweaks that experts have discovered in their own quests for tighter and surer security procedures.

Revisit role change and reconcile access procedures. Denying access once an employee leaves a company should be standard security protocol, but alas, it rarely actually happens. Ditto for employees who take temporary assignments, fill in positions until someone is hired, or simply transfer to a new job in the same company.

“Role-based access issues are sorely overlooked in many organizations,” says Tom Garrubba, senior director and CISO with The Santa Fe Group, a consultancy for financial institutions. “This is a growing problem; as people take on additional roles and responsibilities within their organization, there often appears to be very little thought given as to whether the newly assigned roles create ‘segregation of duties’ issues — even if it’s just a temporary assignment. In most cases like this, removal of such access upon completion of the task or duties rarely occurs and can cause complications in compliance with various regulations or industry standards.”

The Santa Fe Group’s Tom Garrubba

It’s past time to revisit those policies and tighten procedures so that these problems are resolved routinely before they become costly security and compliance issues. Be sure to include policies surrounding the use of automation for these tasks, and also for alerts and audits to be triggered when automation tools are changed, deployed, or discarded.

Roles based access may be defined differently in various automation or machine learning-based technologies and brands. Make sure there is a policy in place to handle shutting those accesses down when a product is no longer in use, and to reconcile roles accesses when databases and/or security automation products are integrated.

Add “Question the Boss” procedures. Phishing is mass emailing in hopes of a few bites. Spear-phishing is aimed at only specific targets. Whaling targets or spoofs the top executives in the organization.

“As people get better at recognizing and ignoring regular phishing attacks, threat actors have upped their game to try to be more convincing, making spear-phishing and whaling more commonplace,” says Avi Solomon, Director of Information Technology at law firm Rumberger, Kirk & Caldwell.

To effectively counter these increasingly sophisticated and convincing attacks, employees will need to feel free to question a command from their boss, or even the company CEO. That comfort level doesn’t exist without a firm policy in place.

“Employees should be more diligent in following up with executives whose correspondence asks them to do uncustomary transactions or engage with persons or organizations they’re not familiar with,” recommends Garrubba.

However, it may be annoying or counterproductive to have all confused employees directly question their boss on the validity of the request or command. If you suspect that may be the case, particularly considering the increasing volume of phishing, MSSPs should consider suggesting a policy requiring a single-step action, such as “forward it over to the IT department for further review and analysis,” advises Garrubba.

Build on mobile data protection and document disposal policies. As more business is done on smartphones and tablets, it becomes imperative to write stronger policies on how data and documents on these devices are to be managed and safeguarded.

A strong security policy should address “good practices when reviewing confidential or sensitive information in public, destruction of paper documents and electronic media and restricting the exportation of data to personal email accounts, personal file share services and USB devices,” advises Mark McCreary, chief privacy officer and partner at the law firm Fox Rothschild LLP.

Use policy to create a security culture. Individual employees might feel overwhelmed, confused or simply too busy to practice good security behaviors. Building a security culture alleviates some of the stress and worry while also improving compliance and standards. Start by writing a policy designed to create a culture of crowdsourced security.

“Have an email address or other channel where employees can forward or report phishing emails they receive, so that everyone across the organization can thwart active phishing campaigns,” advises Stephen Cox, VP and chief security architect at SecureAuth, a provider of identity security automation.

“Share examples of phishing attacks that affected other organizations with employees and discuss how to avoid them. As new methods are identified, or new data breaches become known, foster discussion of their tactics. Encourage others to share news items that they find.”

Dump the legalese in favor of understandable language. Ignorance of the law may be not be an excuse in the eyes of a judge, but a hard-to-understand security policy will be ignored without a second thought. MSSPs need to find ways to address legal issues and attorneys’ concerns in security policies without using legal terms; indeed, doing so looks to be the evolving trend next year.

Tines’ Eoin Hinchy

In 2019, “information security policies that are difficult to find, read and understand will be replaced by simpler, shorter, legalese-free policies that are more accessible,” predicts Eoin Hinchy, founder of Tines, a security automation start-up.

Rework policies to fit automated distribution patterns. Automation is making it possible to deliver training and assistance at exactly the time it’s needed.

“The continuing adoption of security automation and orchestration technologies will allow enterprises to move away from annual, compliance-based training, to a more contextually-relevant, event-driven model,” says Hinchy.

Look to build policies to do the same, rather than continue to deliver lengthy sessions or documents. Indeed, modernizing security policies is a potential new revenue stream for MSSPs with an eye toward fitting automated, augmented, self-service and IoT delivery models.