Cyber Monday - Great Online Deals on Security Breaches!

In terms of finding online deals, Cyber Monday is the one day of the year on which a savvy shopper can get the majority of their holiday shopping done before they even break for lunch! In the business world, management would likely expect lower productivity after Thanksgiving due to the all to common employee turkey coma. But take a closer look, and they will likely see that many are furiously shopping online, hunting for deals and racking up purchases on their credit cards.

What do almost all online shopping stores ask you to do nowadays? They ask you to set up an identity and password on their site. Honestly, given the choice to create a brand new password for a new identity, or use an existing one that they use daily to sign into their work accounts, most will choose the latter out of convenience. They usually take the easiest road possible, using the same password from site to site, over and over again. Almost every online site asks you to provide an email address, and, though most employees may use their own personal email, not everyone segregates their personal and work email addresses.

The problem with this scenario, is that you now have the potential for your end-users’ email addresses and passwords to be in the hands of another organization, of which you have no control, and no idea of their level of security. Unfortunately, we know from experience that hackers often target large online retailers because they are treasure troves of personally identifiable information (PII). 

People will shop online on Cyber Monday, regardless of concern, and, while they focus on their own interests, they likely won't stop to consider the risks to their company. Aside from shutting down the company’s internet connectivity, what should an IT manager to do to protect his or her organization? There actually are a number of ways to position an organization’s identity and access management policies to tackle threats like this. There’s no one silver bullet, but there are a couple of overlapping approaches to take. The analogy I would use is how we protect our own homes. You start with your most prized valuables, and maybe put those in a safe in a room inside your house. Then, you look at your entryways and check out the door locks, perhaps investing in a security system. You also look at the exterior of your house to make sure the exterior lights work, making it less inviting for burglars. Another precaution may include asking your neighbors to keep an eye on your place while you‘re away.

Similarly, when looking at your organization’s eSecurity, you should start with the innermost risk by undertaking a discovery and evaluation process of the company’s most sensitive data. This is extremely important (and not just close to Cyber Monday). Ask questions about how much sensitive data exists, where it is located, who has access to it, who is the appropriate data owner, and when was the last time an attestation process was completed to determine if only those who need the access have it. If you appropriately protect your data internally, you can eliminate some of your risk.

Secondly, look at how your end-users are logging into your organization's network. What are your password policies, and how often are they updated? Do you have a policy that any of your end-users with more sensitive access entitlements require two-factor authentication (something a user knows, such as a password, and something a user has, such as a smart card) to log in? If your organization has sensitive data such as intellectual property, or contains your own customers’ personally identifiable information, and you’ve taken steps to limit access to that data by saying only the 10 percent of your organization who require access to do their jobs can actually have it, then it probably makes sense to add an extra layer of security on their access through something like two-factor authentication.

Finally, do you have anything that monitors your end-users’ routine actions? In other words, establishing parameters to define a rule launching an alert when something is odd or amiss. For example, if you have an end-user who has attempted to sign on 10 times in less than a minute, that is something that should trigger an alert. Another example would be if you have an end-user trying to sign on from an IP address outside the country at a very odd hour.

On Cyber Monday this year, if you are an IT manager (when you aren’t snagging some deals yourself), be sure to take a look at your organization’s approach to eSecurity and identity and access management practices. Breaches are very costly with long-lasting effects that could lead to a very bah humbug holiday season.

Anonymous