By Paul Tibbert, CEO of GRID
It dawned on me—as I locked the house on the way out the door, packing the car for a long weekend away—that too many companies and professionals are leaving their data “homes” with what might be the same false sense of security I enjoyed upon turning the deadbolt on the front door.
Yes, the door is locked. But that doesn’t begin to address the potential vulnerabilities my house was truly exposed to.
For example, windows are easily smashed. Did I leave another door open? Was there already an intruder hiding in the house before I unwittingly locked them in from the outside?
Additionally, what if an intruder’s intention was to enter the premises, pilfer something seemingly inconsequential, leave the home undisturbed, then leave quietly and re-lock the door behind him? When I returned home, would I ever even know he was there? Would I know something inconsequential was missing? Or would the locked door once again provide a false sense of security that all was well and good?
And so it is with our data and systems. Too often, we apply one “blanket” level of security, thereby assuring ourselves that our data is secure. But as breachers, hackers and malware bots get more and more sophisticated, more and more targeted, and more and more stealth, our digital homes are just as susceptible to the undetected intruders described in my home analogy.
Time to take another look.
The National Institute of Standards and Technology (NIST) Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems, except those related to national security. A counterpart, NIST SP 800-171, provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI) for defense contractors doing business with the federal government. Both are becoming more broadly adopted as industry standards for any entity that wishes to be part of the supply chain to government agencies, their contractors and subcontractors, and furthermore, pretty much any entity that places significant emphasis on data and information systems security. (Along with their ISO counterparts, ISO 27001 and 27002, as well as that of the CMMC.)
What is being issued as guidelines for the highest-stakes security environments should, in my opinion, become the standard bearer for how we think about true IT security. Such standards suggest an approach that goes far beyond locking the metaphorical front door, and taking a much more nuanced, sophisticated and thorough approach to controls.
Whereas historically we may have been most concerned about who and what can connect to a particular system, we must now take greater consideration of what the data inside each system actually is, and how it will be used and shared, and by whom and with whom…and when, as well as under what circumstances. And we are getting much more detailed in monitoring and documenting who is where within each system, to better account for or track potential breaches or leaks, no matter how clandestine the perpetrators may wish to remain.
Going back to the home analogy, in addition to locking the doors, the smart companies are also installing proverbial surveillance cameras and “visitor” logs that can track and record all system activity and participation, 24/7, so that, should a breach occur that is not immediately assignable and detectable, we can at least “review the tapes” to determine who had access to the data at the time of the breach…which can turn a wild goose chase into a precise and specific incident response.
This shift in approach will, for most, begin with a shift in mindset. The modern solution to data and system security is not the dead-bolt-on-the-door, blanket security protection applying one-size-fits-all controls for all data, users and systems. We must begin by separating, classifying and controlling our data, versus treating everything as general, credentialed security.
Step 1: Isolate, Classify and Segregate: The first major initiative I would suggest is a comprehensive audit and cataloguing of your data, data types, systems and system types. For example, one type of system might be your HR management system, which contains many types of data—payroll, medical/HIPAA, personal protected employee information, background check or disciplinary records, and so on—all housed on multiple, disparate systems within the HR infrastructure of the company. Do the important and necessary work of desegregating all of that as erstwhile “employee information,” so that you can isolate and classify what’s critical, maximally private, and of utmost security, versus that which is merely “confidential”—on a granular level, not from 30,000 feet. Assessing what damage the release of such data might do, both to the company and the individual, is an example of the types of considerations you might address.
Step 2: Apply the Appropriate Level of Controls: Only after you’ve done the isolation, segregation and classification of your data and system sets and types can you assign the tiered level of controls that NIST 800-53 and NIST 800-171 set standards for when it comes to handling CUI (controlled unclassified information). Each data type, each system type, and so on should have separate and appropriate standards for who has access to what data, when and with whom they can share it, and how secure the protective measures need to be for granting credentialed access.
Step 3: Audit and Report: NIST 800-53 has 20 families of security and controls. First doing a risk assessment against these families, a company’s compliance to these controls requires constant vigilance and monitoring. Start by educating all employees on access governance and cybersecurity best practices, such as how to identify and report malware. And be sure to install the appropriate “security cameras”—be sure to maintain and improve your compliance with sophisticated monitoring solutions, regular system audits, and transparent reporting procedures, especially after a security incident.
Now, I won’t pretend that all or this is as easy as switching on the alarm system as you walk out of the home. Once all of these rigors have been executed, you also need to consider, “How does my business and team operate under this tightened scrutiny and security without being disruptive to client and vendor relations, as well as not burdening our teams and process with heightened administrative bureaucracy? There will be new procedures, and new documentation. But the alternative risks the very existence of the company itself!
There are always tradeoffs to evaluate between security and freedom of movement. If there are no controls, your company moves at the speed of light. But with hacks and breaches on the rise, and getting more and more sophisticated with each passing day, there’s simply too much at risk to operate under that false sense of security. What’s needed is true security.
Thankfully, NIST, ISO and the Department of Defense have provided the blueprint. Now all we have to do as an industry is adopt the “whole-home” approach to security. Yes, like mine, your front door might be locked, too. But that means all too little in the year 2021.