Top 10 Security Tips for National Cybersecurity Awareness Month
Each October, the industry hosts National Cybersecurity Awareness Month. But the truth is, there is never a month, week, day, hour or minute that we don’t need to be aware of cybersecurity. So SteelCloud has assembled ten cybersecurity tips that apply whether you’re a government agency, a contractor or a private organization.
Tip #1: Awareness.
Awareness is an ongoing practice. It’s not just a training event for your cybersecurity team. Or for your users. It’s a practice of vigilance and ongoing cyber hygiene on everyone’s part. It’s a habit you develop that becomes second nature. And it begins with a deep understanding of your system vulnerabilities and how to harden around them. In federal, state and local government—as well as in the organizations that serve them—many use Security Technical Implementation Guides (STIGs) or Center for Internet Security (CIS) Benchmarks as their roadmap for system hardening. In fact, CIS Benchmarks, is also a right-sized response for private organizations of all types. These processes are proven to be effective and lead the industry among those who are serious about system security. Our free STIGs for Dummies eBook and CIS Benchmarks Compliance Success Guide will give you insights and tips to become more aware of your vulnerabilities and what to do about them.
Tip #2: Communication and Teamwork.
Whatever protections you implement, if they involve users, explain not just the what, but the why to them. Zero Trust, for example, is going to require multiple logins. Users will have to log out when they run to the bathroom. Remote and hybrid workers may have to be online at a certain time for system updates. Certain functions in apps may need to be turned off for STIG compliance. Don’t just tell them this is the new way of doing things. Don’t just train them. Tell them why. Explain phishing and ransomware and the types of data hackers go after and what they may want to do with it. Give them insight into the kinds of damage a breach can cause. Recognize and reward them for reporting suspicious activity. Let them know this is a team effort to not only protect the organization, but their job, their system availability and the personal information of their clients and fellow employees. If they understand what is at risk, they are more likely to comply.
Tip #3 – Trust no one and nothing.
Security cannot live by STIGs and CIS alone. And perimeter security isn’t enough to keep the bad guys out. Which is why Zero Trust is a must, especially in government systems. Zero Trust posits that bad guys are everywhere, so you should trust no network, no user, and no location when it comes to accessing your data. It removes security from the perimeter alone and enacts a strategic multifactor authentication process that captures and contains the bad guys before they have a chance to infiltrate your system further. Zero Trust works together with STIGs and CIS to provide a lethal one-two punch to hackers.
Tip #4 – Always be vigilant and compliant.
Can you monitor your system 24/7 and achieve continuous compliance, along with continuous diagnostics and mitigation (CDM)? The answer is yes. But you can’t do it if you’re still complying using manual means. The state of cybersecurity is that it is continually evolving and changing. And it is becoming harder and harder to keep up without the help of automation. The remote and hybrid workforce makes that mission even more challenging. But it can be easy if you remove the repetitive tasks of compliance and have the tools to continually monitor your network through automation.
Tip #5– Build security into your DevOps process.
If you build an application internally, then implement into a DoD government system, for example, you will have to STIG that system again. If you’re a contractor and build an application for use in the government, your app will be subjected to the same process and the availability of your app will be delayed for days, weeks and months until it is secure enough to implement. But if you build it with security policy baked in—DevSecOps— then the product from your organization won’t be the fly in the ointment. Too often, it’s not the way it is. But it’s the way it should be.
Tip #6: Learn how to manage a remote and hybrid workforce.
The 2023 Federal Employee Viewpoint Survey showed a shift from nearly half of federal employees working remotely during the 2020 pandemic to 14% remote work and 25% teleworking at least three days a week at the end of 2022. And trying to maintain continuous compliance (or something even remotely resembling continuous compliance) is like herding cats. Meanwhile, these hybrid workers often pose a greater risk than onsite employees. When it comes to STIG compliance, distributed workers complicate the job of cybersecurity compliance and can delay system updates and new app implementations. But achieving scalable and continuous compliance is possible. In fact, it can even be easy.
Tip #7: Understand the difference between cybersecurity risk and compliance.
Compliance does not equal risk management. Compliance is the minimum standard to prevent electronic anarchy and forms a baseline that can be measured and provide some sort of consistency across your information systems. According to CISA, “Risk Management is the process of identifying, analyzing, assessing, and communicating risk and accepting, avoiding, transferring, or mitigating it to an acceptable level considering associated costs and benefits of any actions taken. Effective risk management improves the quality of decision making. While risk cannot always be eliminated, actions can be taken to mitigate risk.” Risk management goes beyond creating a secure baseline to the practices and decisions you make to maintain your security posture.
Tip #8—Catch the drift.
The minute you make a change to a STIG or CIS compliant environment—a change as simple as adding a user or installing a new API—you are no longer dealing with the same, previously compliant network. The network “drifts” out of compliance. And this is a big deal because it leaves vulnerabilities in its wake. Worse, it’s a problem that’s difficult to spot, so you assume you’re still compliant when you’re not. Your people can’t be scanning and remediating 24/7/365. And they most certainly won’t if they’re assuming you’re compliant when you’re not. Compliance automation is a surefire way to keep drift at bay and maintain continuous compliance.
Tip #9: Accept that you are a target.
There is no system in the world that is not a target to hackers. If you think your company is too small or your community college has nothing of interest to hackers, you’re wrong. In fact, you’re at even more risk than organizations like the DoD who have the resources and processes already in place to thwart attacks. And hackers will not just get in because a random user clicked on an email link. They will come in through your supply chain looking for everything from personally identifiable information to proprietary data. Or maybe they just want to freeze your network so you’ll pay them to have it restored. Nobody is safe. And the safer you think you are with your perimeter security and other measures, the more at risk you actually are.
Tip #10 – Know when bots are better.
Automation provides the most value when it addresses rules-based, repetitive, labor-intensive (and, often, soul crushing) processes. Automation solutions like SteelCloud’s ConfigOS Command Center and ConfigOS MPO can both scan and remediate rote processes, achieving faster ATOs. But only a human can think critically. So, let the machines do what they can do so the humans can concentrate on what only they can do.