Why corporate data compliance can make or break an enterprise; cyber safety and hygiene must improve in the new normal.

According to Singapore’s Smart Nation and Digital Government Group (SNDGG), about three-quarters of government agencies had at least one finding of non-compliance on data policies and standards.

The most common shortcomings found were in the management and monitoring of privileged user accounts, user access reviews, as well as the encryption of email containing highly sensitive data.

Access management is a major concern for information security, not just in government agencies. The private sector needs to manage access efficiently and securely to protect against security incidents.

As cybercrime becomes more pervasive, how can organizations improve their cyber hygiene, protect themselves against attacks, and transform how they monitor for security incidents?

CybersecAsia sought out some answers from Serkan Cetin, Technical Director, APJ, One Identity.

Serkan Cetin, Technical Director, APJ, One Identity

What is the most common cause of cybersecurity breaches?

Serkan Cetin (SC): The most common cause of cybersecurity breaches involves the compromise of privileged access. According to the 2020 Data Breach Investigations Report, more than 100,000 of recent global security breaches involved misused credentials, including compromised passwords.

In many instances, these attacks usually take place because the employees do not have the required training to ensure good cyber hygiene practices are in place, and often organizations have not implemented the right technologies and processes to protect their systems and employees.

Employees need to understand the value of the identities and accounts in their organizations. People are the most important part of the security equation; hence it is a business imperative to create a security-first culture. For effective adoption, businesses will need to re-examine their existing processes and implement better identity practices that can manage accesses and authorizations for the end-users without complicating the user experience.

What are some key challenges and implications in mitigating data breaches arising from user access and the misuse of user privileges?

SC: The biggest and most fundamental threat is that organizations are scrambling to ensure secure connections for all employees and at the same time, the people behind the screen are who they claim they are in a remote setting.

However, and what’s terrifying, is that corners were probably cut in the rush to get everyone working remotely. Preventing, detecting and mitigating the risk of human mistakes and malicious actions have become extremely important in the “new normal” as organizations move all their possible business operations online.

Most organizations are still in uncharted waters and using processes that have never been tested. Processes need to be re-examined and tried and changes are needed to be executed against fast. Additionally, businesses need time to ensure that permissions and entitlements remain in force, if the permissions are correct it doesn’t matter if the person is remote or on-prem.

Many are still attempting to use the approach of trying to the right balance between implementing the right level of security controls whilst ensuring the applications and systems are easy to access for end users. Whilst this may have been the way in the past, in today’s fast paced world, business require frictionless security solutions that secure access to data, resources and privileges, without any of the excess baggage.

How does a centralized identity and access management system help in addressing cyber safety in the ‘new normal’?

SC: Remote working means companies are giving up the strong physical security they built around their offices – from access cards to reinforced doors, and they need to re-invest in security strategies which address the only factor that has remained constant throughout all this change, the identities which need to access the applications.

This could have been endpoints, but the reality for many is that any employee will use a combination of different devices, some personal, some corporate issued. And with the growing adoption of SaaS applications, the systems to protect are not only in the corporate data center, but also out on cloud service providers.

With the mass credential leaks of the last couple of years, huge databases with billions of records circulate on the dark web, containing privileged user identities and password pairs for many corporate logins. Reusing this data in so-called credential-stuffing attacks is an incredibly effective way to breach these end systems and through them, the whole corporate network.

Therefore, organizations must take steps to protect themselves, employees and customers, against privileged identity theft, data breaches and cyber threats. This includes ensuring that there is a strong understanding what entitlements and access rights every identity holds (whether it’s an employee, contractor, bot, standard or privileged), evaluating these against governance controls, attesting that the accesses rights granted are correct and required, ensuring that any unnecessary access rights are revoked.

Automation plays a big part in this and can improve the overall user experience. It can further improve security by ensuring that users automatically have the right levels of access provisioned for their job, and that the accounts of a departing employee are deprovisioned immediately.

Deploying control measures to secure the privileged credentials, using session management as part of granting privileged access and employing continuous authentication measures by using analytics and machine learning to identify and take action against suspicious user behavior are a must for any type or size of organization to protect access to their systems.

What are some best practices for organizations to scale up the required resources, ensure stability and availability and to grant uninterrupted access for the ‘new normal’?’

SC: A first step that organizations need to do is to make sure that there is some form of multi-factor authentication (MFA) as a minimum requirement for all identities. By doing so, this extra layer of protection can significantly reduce the chances of a hacker being able to just walk right into the network.

Organizations also should bear in mind that it isn’t just the business users who are having to work remotely, it is also the admins and third parties that run the IT infrastructures, and the outsources or other service providers. These are the accounts that the hackers are after. Just one admin account can grant elevated access to a wide range of systems for an attacker.

Starting off with MFA is a good first measure, but that is assuming the threat is always external.  Employing the right technologies to secure privileged access, govern access rights, implement least-privilege access models, roles-based access control, secure storage of credentials and recording all privilege access operations will go further towards protecting against internal and external threats.

These practices will help organizations to identify and take action against suspicious activity, reduce the risk of accidental damage and misuse, ensure that only the right level of access entitlements are granted to users, and provide an audit trail for faster investigation of privilege use, across all types of identities and accounts, whether it be an employee, contractor, or bot.

Most importantly, one must never forget to educate their employees on their responsibilities and make them aware of cyber threats.

How should organizations educate employees on cybersecurity best practices to mitigate future risks?

SC: Regular training and education for employees have the greatest impact to mitigate future risks within organizations. The core philosophy is that users must understand the value of their identity and the resources to which they have access – in other words, “controlled mild paranoia”. If the user understands who is trying to get their data and the impact of a compromise, then they will be mindful and react appropriately to external sources.

There are a few areas to start with. For instance, check that staff are reading the latest messaging and understand that not every email or phone call is to be trusted and ensure employees are not copying data to their local devices or those in their home network.

Taking this deeper, the administrator with elevated privileges in his/her back pocket must understand the value of the information they possess. Working remotely with unregulated, unaudited elevated privileges should make anyone more than slightly uncomfortable. Just as users should be trained on operating securely with user-level permissions, admins must be proficient on how to operate securely with admin-level permissions. They should be familiar with credentials being vaulted and sessions being audited.

In short, an important factor in a new remote workforce is user training. Employees should have been trained on things like phishing emails, virus detection, or malware to keep the home-based worker from being compromised moving forward.