Proactive Steps to Promote Employee Cyber Security Compliance

Your organization’s people are your first line of defense against cyber criminals. Unfortunately, they’re also your weakest link. Insiders pose the biggest threat to cyber security in the healthcare industry, and only 13% of public sector employees “take personal responsibility for cyber security.” Here are 10 proactive ways to improve employee cyber security compliance.

Employee Cyber Security Training Should be Mandatory & Continuous

The cyber threat environment is constantly changing, so employee cyber security training is not “one and done.” It is a continuous process that should begin during the onboarding process and continue throughout the employee’s tenure.

Employee Cyber Security Training Is About More than Compliance

Many healthcare organizations make the mistake of focusing employee cyber security training exclusively on HIPAA compliance, and organizations in other industries can fall into similar traps. While compliance is important, it does not automatically equate to cyber security.

Keep Employee Cyber Security Rules & Procedures Simple

Often, employee cyber security manuals are written by the IT department or security personnel, who may fill them with so much “tech-speak” that they require a degree in computer science to decipher. Make sure that your rules and procedures are written in plain language that non-IT employees can easily understand.

Everyone Needs to be Trained

Cyber security is everyone’s responsibility. This includes all levels of employees, from the C-suite down to the receptionist. Don’t forget about part-time employees, seasonal workers and other temps, even interns. Everyone in your organization who has access to a computer must be trained on cyber security best practices.

Have Clear Cyber Threat Reporting Procedures

If one of your employees receives a suspicious email or finds a flash drive on the floor, who should they report the incident to, and how? Make sure your employees know exactly what to do next.

Tie Workplace Cyber Security to Personal Cyber Security

Illustrating why cyber security hygiene is important both in and outside the office is a great way to reinforce training lessons and bolster employee buy-in. Use real-world examples that employees can relate to, such as phishing scams that seek to steal personal account credentials.

Employ User Behavior Analytics & Continuous Monitoring

User behavior analytics, paired with continuous monitoring of network activity, protect your organization on two fronts. First, they allow you to identify employees who are snooping around in areas of your system they don’t need to access to do their jobs. Second, they allow you to identify stolen credentials by flagging logins at odd hours and/or from unusual locations. In either case, you can set up the system to temporarily suspend access until you determine what’s going on.

Regularly Review Employee System Access

The best way to ensure that employees don’t misuse their credentials is to prevent them from doing so in the first place. Employees should be given the minimum amount of system access to perform their jobs, and no more. Access levels should be regularly reviewed for appropriateness.

Don’t Flog Employees for Making Mistakes

Even the most diligent employee can make a mistake. If employees fear being fired for inadvertently clicking on a phishing link, not only will they not report the incident; they may try to cover it up, which could make things even worse. Encourage employees to report missteps as soon as possible, and ensure them that they won’t be disciplined for doing so.

Reward Employees for Good Cyber Behavior

In addition to not beating your employees with sticks, offer some carrots. Recognize employees who flag phishing schemes and other attempted cyber attacks.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Cyber Security Tips for 2018 and Beyond

Now that the year is coming to an end, all eyes are on what’s possibly around the corner. More attacks on cryptocurrencies? An escalation in attacks by state-sponsored cyber criminals? Chaos as the EU’s GDPR is implemented? In cyber security, only one thing is certain: It’s a continuous game of Spy vs. Spy. As soon as one hole is plugged, hackers find another way in, and with every new technology comes a brand-new set of risks. Here’s a list of cyber security tips for 2018 that will protect your enterprise not only in the New Year but in the years to come.

Secure Your Cloud, Secure Your Cloud, Secure Your Cloud

The AWS breach epidemic made our list of the worst cyber attacks of 2017, so it’s not surprising that cloud security is at the top of our cyber security tips for 2018. The rule of thumb is that your cloud service provider is responsible for the security of your cloud, but your organization is responsible for the security in it. Understand that cloud security is quite different from on-premises cyber security, and make sure to seek professional help to ensure a successful and secure cloud migration.

Make Sure Your Business Associates Are Secure

The next item on our list of cyber security tips for 2018 addresses another epidemic we saw over this past year: incidents where hackers targeted the smaller, third-party vendors of larger organizations such as Verizon, the Republican National Committee, and Netflix. It is estimated that over 60% of all breaches now involve third-party business associates. Often, hackers target these firms because they tend to be smaller than their corporate customers and have less robust cyber security. Make sure to vet your vendors’ information security very carefully and ensure that they aren’t cutting corners. Ask us about Vendor Risk Assessments.

Keep Your Software & Systems Updated

Both the WannaCry and NotPetya attacks targeted older, unpatched versions of Microsoft Windows, and the Equifax breach was the fault of the organization not updating its installation of Adobe Struts. Because hackers often exploit known vulnerabilities that developers have patched in security updates, one of the easiest ways to fend off cyber attacks is to keep your operating systems and software up to date.

Don’t Forget About Your Employees

The biggest security vulnerability in any organization is its own people. All of the updates, firewalls, and technical controls in the world will do you no good if an employee clicks on a link in a phishing email, shares their password “just this one time,” or “goes rogue” and decides to strike back against the company. Your cyber security plan should include continuous employee training on cyber security best practices as well as precautions to guard against malicious insiders.

Remember that Compliance Does Not Equal Cyber Security

It is of the utmost importance to comply with regulatory and industry standards such as HIPAA, PCI DSS, SOC, FedRAMP, and the upcoming GDPR. However, compliance is the starting point, not the do-all, end-all, of cyber security. Because today’s data environments are complex and unique, and the threat environment changes daily, it is impossible for any standard or framework to address every single possible risk and vulnerability that an individual organization may face.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Every organization needs an effective cyber security policy

Anyone who has taken the CISSP exam knows that cyber security policy is at the top of the policy/standard/procedure hierarchy. The logic is that cyber security policy must come first because it identifies the organization’s security issues and their scope; it answers the question, “Why do we need to do this?” Only after understanding the why can an organization develop quantifiable measurements and determine what is required (standards), then establish the proper steps to achieve the standards (procedure).

Cyber security policy protects information within an enterprise, defines rules regarding consistency and fairness, and ensures compliance. Yet despite the high importance of cyber security policy, many small and medium sized businesses (SMBs) lack effective security policies. Some don’t have them at all! This “ad hoc” approach to enterprise cyber security has become such a problem among defense subcontractors that the DoD is developing a new compliance framework to address it.

Regardless of size or industry, every organization must have documented IT security policies to protect their digital assets. Many compliance frameworks, including HIPAA, PCI DSS, and SOC attestations, require written policies, and policy documentation will also help your company defend itself defend itself against fines and civil litigation in the event of a data breach.

Types of IT security policies

The CISSP defines three primary types of cyber security policies.

• Regulatory policies ensure that an organization is adhering to industry-specific compliance mandates or laws, such as those governing public utilities, financial institutions, or other organizations operating in the public interest.
• Advisory policies specify which employee behaviors an organization considers acceptable and unacceptable. While advisory policies aren’t mandatory per se, employees who violate them face serious consequences, ranging from serious warnings to termination.
• Informative policies educate an organization’s employees or business partners without laying out any specific or implied requirements.

These three IT security policy categories can be broken down further into organizational, system-specific, and issue-specific policies. An organizational (or master) security policy is the blueprint for an enterprise cyber security program; it outlines the company’s strategic plan for implementing cyber security. System-specific policies dictate the approved software, hardware, and hardening methods for specific systems. Issue-specific policies address functional areas that require additional attention and detail, such as IT security policies governing email usage, change management, access control, data retention, and vulnerability management.

Developing & maintaining an effective cyber security policy

Depending on an organization’s size, industry, risk profile, and data environment, their IT security policy could range from a one-page guide to a book containing dozens of pages. Here are some general tips for developing an appropriate and effective cyber security policy.

• Understand your compliance requirements and align your policies with them. If you don’t know where to start, applicable compliance mandates are a good place.
• Understand your infrastructure. Work with your IT team to map the systems you have in place, their capabilities and vulnerabilities, and your current backup and security measures.
• Clearly identify security controls. This includes which specific security programs are to be implemented, timelines and procedures for updates and patches, and backup procedures.
• Clearly identify employees’ roles and responsibilities. An effective IT security policy must define accountability, such as who is responsible for maintaining and enforcing policy, who is responsible for training users, and who responds to security incidents and each person’s role during response.
• Outline acceptable use conditions. This includes acceptable use of the company internet connection, social media usage policy, remote access rules, and the proper procedure for reporting security incidents.

Cyber security policy is not “one and done.” The cyber threat environment is in continuous flux, and security policies must be reviewed and updated on a regular basis.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.