ILTACON Insights: Thomson Reuters on Common Security Worst Practices
The annual ILTACON conference is off to a strong start, and a hot topic on today’s agenda included the panel discussion on Common Security Worst Practices. Panelists, including Mel Gates, senior legal editor, Privacy & Data Security, Thomson Reuters, focused on 10 things people and organizations should not do in terms of cybersecurity.
The panel explored common mistakes that create systemic barriers to a strong cybersecurity posture and provided actionable strategies to avoid, or fix, them. Legal Current had the opportunity to talk with Gates after the panel, and below is a recap of the conversation.
Legal Current: Companies often fail to consistently manage cyber vulnerabilities. Talk about how important it is for organizations to have well-maintained asset inventories as well as the difference between vulnerability disclosure and vulnerability management.
Gates: It’s basic: organizations simply cannot reasonably assess their cyber risks and protect or patch their assets if they do not know what they have and where it is located. Well-maintained inventories and vulnerability management processes do not require the latest and greatest technical solution. However, thoughtfully selected and carefully implemented tools can help organizations quickly recognize and minimize new risks and improve their efficiency, especially when IT and cybersecurity resources are scarce.
Organizations use cyber vulnerability management programs to identify, track, and remediate or at least mitigate known hardware and software vulnerabilities. Vulnerability disclosure policies and programs help organizations leverage external community expertise to discover additional vulnerabilities and appropriately respond. Some organizations choose to implement bug bounty programs to further enhance their cybersecurity posture or reputation. Cyber vulnerability management, however, is a basic element of any reasonable information security program.
LC: A common cybersecurity miscalculation is organizations assuming people will think about and follow security policies when making decisions. What are ways businesses can help employees prioritize security?
Gates: People want to be successful and help others. Unfortunately, cyberattackers know that and leverage those all-too-human desires. Organizations need to help all employees understand and manage cyber risks at levels appropriate and understandable to them and their roles. Some tips include:
- Communicate regularly with employees using widely applicable and easily understood examples that explain specifically what they may encounter and how to act when they do.
- Make expert resources available, responsive, and supportive so that employees are not left feeling like they must take undue risks just to “get the job done.”
- Help employees understand that “being nice” does not mean letting risky behavior go unchallenged. Choosing to challenge or question is not just acceptable, it is expected and not just an “IT thing.” It is everyone’s job.
LC: You talked during the panel about the “despair issue” – when the sheer volume of potential cyberattacks and how they’re continually evolving overwhelms people and organizations. How can we accept that cybersecurity is an ongoing process?
Gates: Reasonable cybersecurity is not a one-time project, and the need to treat it as an ongoing program is not a failure of the selected tools or responsible individuals. Threats evolve. Newly discovered vulnerabilities emerge. IT assets and business practices change. Internet connectivity gave us previously unimaginable business opportunities and efficiencies. But those opportunities and efficiencies are not free. They bring risks, responsibilities, and the costs to manage them, too. We must adopt an approach of process-driven risk management, making cybersecurity a core part of our business processes and technical infrastructure – some would say “part of our DNA.”
Cyber researchers’ data consistently shows that many, if not most, attacks are fully preventable using long-known cybersecurity principles and practices. Even if organizations cannot prevent the most sophisticated attacks, those are much less common, and it is easier to detect them and minimize their effects when organizations have strong controls in place. Just like with traditional crime and the physical risks we all face each day, educating and arming ourselves with data and best practices, not fear created by focusing solely on the latest attack reports, helps empower us and ward off that sense of overwhelm and despair.
LC: It’s not possible for organizations to mitigate 100% of cyber risks, but how can they reasonably manage them?
Gates: Exactly, “100% safe and secure” is a fallacy, but we are at our safest and most secure when we act reasonably and work together across our organizations and communities. Organizations should:
- Make cybersecurity an ongoing business and technical priority. Our customers, employees, and communities demand and deserve it.
- Start with basic security controls and widely accepted best practices, like those described in the NIST Cybersecurity Framework, to build a process-driven program appropriate to their unique risks and available resources.
- Not allow their desires for the perfect time or level of resources – or whatever gets in the way of acting now – to close the cyber risk window as best they can, even as they keep working on getting better.
- Consider ways to securely share information with and learn from like-minded organizations.
LC: What’s the one thing you want ILTACON attendees to remember about cybersecurity?
Gates: That a strong cybersecurity posture is achievable and sustainable with appropriate attention to people, policies, processes, and tools. The bad actors are not any smarter than the rest of us. They are just very opportunistic and persistent, demanding our commitment to ongoing cyber risk assessment and management.