“Security” and “overtime” go hand in hand. According to a recent survey, one in five CISOs works 65 hours a week, not the 38 or 40 written in their contract. Average overtime clocks in at 16 hours a week. The same is true for the rank-and-file infosec employees — roughly half complain of burnout due to constant stress and overwork. At the same time, staff shortages and budget constraints make it very hard to do the obvious thing: hire more people. But there are other options! We investigated the most time-consuming tasks faced by security teams, and how to speed them up.

Security alerts

The sure winner in the “timewaster” category is alerts generated by corporate IT and infosec systems. Since these systems often number in the dozens, they produce thousands of events that need to be handled. On average, a security expert has to review 23 alerts an hour — even off the clock. 38% of respondents admitted to having to respond to alerts at night.

What to do

  1. Use more solutions from the same vendor. A centralized management console with an integrated alert system reduces the number of alarms and speeds up their processing.
  2. Implement automation. For example, an XDR solution can automate typical analysis/response scenarios and reduce the number of alerts by combining disparate events into a single incident.
  3. Leverage an MSSP, MDR service or commercial SoC. This is the most efficient way to flexibly scale alert handling. Full-time team members will be able to focus on building overall security and investigating complex incidents.

Emails with warnings

Notices from vendors and regulators and alerts from security systems get sent to the infosec team by email — often to a shared inbox. As a result, the same messages get read by several employees, including the CISO, and the time outlays can run to 5–10 hours a week.

What to do

  1. Offload as many alerts as possible to specialized systems. If security products can send alerts to a SIEM or a dashboard, that’s better than email.
  2. Use automation. Some typical emails can be analyzed using simple scripts and transformed into alerts in the dashboard. Emails that are unsuited to this method should be analyzed, scored for urgency and subject matter, and then moved to a specific folder or assigned to a designated employee. You don’t need an AI bot to complete this task; email-processing rules or simple scripts will do the job.

These approaches dramatically reduce the number of emails that require reading and fully manual processing by multiple experts.

Emails flagged by employees

Let’s end the email topic with a look at one last category of attention-seeking messages. If your company has carried out infosec training or is experiencing a major attack, many employees will consider it their duty to forward any suspicious-looking emails to the infosec team. If you have lots of eagle-eyed colleagues on your staff, your inbox will be overflowing.

What to do

  1. Deploy reliable protection at the mail gateway level — this will significantly reduce the number of genuine phishing emails. With specialized defense mechanisms in place, you’ll defeat sophisticated targeted attacks as well. Of course, this will have no impact on the number of vigilant employees.
  2. If your email security solution allows users to “report a suspicious email”, instruct your colleagues to use it so they don’t have to manually process such alerts.
  3. Set up a separate email address for messages with employees’ suspicions so as to avoid mixing this category of emails with other security alerts.

    4. If item 2 is not feasible, focus your efforts on automatically searching for known safe emails among those sent to the address for suspicious messages. These make up a large percentage, so the infosec team will only have to check the truly dangerous ones.

Prohibitions, risk assessments, and risk negotiations

As part of the job, the CISO must strike a delicate balance between information security, operational efficiency, regulatory compliance, and resource limitations. To improve security, infosec teams very often ban certain technologies, online services, data storage methods, etc., in the company. While such bans are inevitable and necessary, it’s important to regularly review how they impact the business and how the business adapts to them. You may find, for example, that an overly strict policy on personal data processing has resulted in that process being outsourced, or that a secure file-sharing service was replaced by something more convenient. As a result, infosec wastes precious time and energy clambering over obstacles: first negotiating the “must-nots” with the business, then discovering workarounds, and then fixing inevitable incidents and problems.

Even if such incidents do not occur, the processes for assessing risks and infosec requirements when launching new initiatives are multi-layered, involve too many people, and consume too much time for both the CISO and their team.

What to do

  1. Avoid overly strict prohibitions. The more bans, the more time spent on policing them.
    2. Maintain an open dialogue with key customers about how infosec controls impact their processes and performance. Compromise on technologies and procedures to avoid the issues described above.
    3. Draw up standard documents and scenarios for recurring business requests (“build a website”, “collect a new type of information from customers”, etc.), giving key departments a simple and predictable way to solve their business problems with full infosec compliance.
  2. Handle these business requests on a case-by-case basis. Teams that show a strong infosec culture can undergo security audits less frequently — only at the most critical phases of a project. This will reduce the time outlays for both the business and the infosec team.

Checklists, reports, and guidance documents

Considerable time is spent on “paper security” — from filling out forms for the audit and compliance departments to reviewing regulatory documents and assessing their applicability in practice. The infosec team may also be asked to provide information to business partners, who are increasingly focused on supply chain risks and demanding robust information security from their counterparties.

What to do

  1. Invest time and effort in creating “reusable” documents, such as a comprehensive security whitepaper, a PCI Report on Compliance, or a SOC2 audit. Having such a document helps not only with regulatory compliance, but also with responding quickly to typical requests from counterparties.
  2. Hire a subspecialist (or train someone from your team). Many infosec practitioners spend a disproportionate amount of time formulating ideas for whitepapers. Better to have them focus on practical tasks and have specially trained people handle the paperwork, checklists, and presentations.
  3. Automate processes — this helps not only to shift routine control operations to machines but to correctly document them. For example, if the regulator requires periodic vulnerability scan reports, a one-off resource investment in an automatic procedure for generating compliant reports would make sense.

Selecting security technologies

New infosec tools appear monthly. Buying as many solutions as possible won’t only balloon the budget and the number of alerts, but also create a need for a separate, labor-intensive process for evaluating and procuring new solutions. Even leaving tenders and paperwork aside, the team will need to conduct market research, evaluate the contenders in depth, and then carry out pilot implementation.

What to do

  1. Try to minimize the number of infosec vendors you use. A single-vendor approach tends to improve performance in the long run.
    2. Include system integrators, VARs, or other partners in the evaluation and testing process when purchasing solutions. An experienced partner will help weed out unsuitable solutions at once, reducing the burden on in-house infosec during the pilot implementation.

Security training

Although various types of infosec training are mandatory for all employees, their ineffective implementation can overwhelm the infosec team. Typical problems: the entire training is designed and delivered in-house; a simulated phishing attack provokes a wave of panic and calls to infosec; the training isn’t tailored to the employees’ level, potentially leading to an absurd situation where infosec itself undergoes basic training because it’s mandatory for all.

What to do

Use an automated platform for employee training. This will make it easy to customize the content to the industry and the specifics of the department being trained. In terms of complexity, both the training materials and the tests adapt automatically to the employee’s level; and gamification increases the enjoyment factor, raising the successful completion rate.

#boost #performance #infosec #team

All large companies have formal processes for both onboarding and offboarding. These include granting access to corporate IT systems after hiring, and revoking said access during offboarding. In practice, the latter is far less effective — with departing employees often retaining access to work information. What are the risks involved, and how to avoid them?

How access gets forgotten

New employees are granted access to the systems they need for their jobs. Over time, these accesses accumulate, but they’re not always issued centrally, and the process itself is by no means always standardized. Direct management might give access to systems without notifying the IT department, while chats in messenger apps or document-exchange systems get created ad hoc within a department. Poorly controlled access of this kind is almost certain not to be revoked from an offboarded employee.

Here are some typical scenarios in which IT staff may overlook access revocation:

  • The company uses a SaaS system (Ariba, Concur, Salesforce, Slack… there are thousands of them) that’s accessed by entering a username and password entered by the employee at first log in. And it isn’t integrated with the corporate employee directory.
  • Employees share a common password for a particular system. (The reason may be saving money by using just one subscription or lacking a full multi-user architecture in a system.) When one of them is offboarded, no one bothers to change the password.
  • A corporate system allows login using a mobile phone number and a code sent by text. Problems arise if an offboarded employee keeps the phone number they used for this purpose.
  • Access to some systems requires being bound to a personal account. For example, administrators of corporate pages on social media often get access by assigning the corresponding role to a personal account, so this access needs to be revoked in the social network as well.
  • Last but not least is the problem of shadow IT. Any system that employees started using and run by themselves is bound to fall outside standard inventory, password control and other procedures. Most often, offboarded employees retain the ability to perform collaborative editing in Google Docs, manage tasks in Trello or Basecamp, share files via Dropbox and similar file-hosting services, as well as access work and semi-work chats in messenger apps. That said, pretty much any system could end up in the list.

The danger of unrevoked access

Depending on the role of the employee and the circumstances of their departure, unrevoked access can create the following risks:

  • The offboarded employee’s accounts can be used by a third party for cyberattacks on the company. A variety of scenarios are possible here — from business email compromise to unauthorized entry to corporate systems and data theft. Since the departed employee no longer uses these accounts, such activity is likely to go unnoticed for a long time. Forgotten accounts may also use weak passwords and lack two-factor authentication, which simplifies their takeover. No surprise, then, that forgotten accounts are becoming very popular targets for cybercriminals.
  • The offboarded employee might continue to use accounts for personal gain (accessing the customer base to get ahead in a new job; or using corporate subscriptions to third-party paid services).
  • There could be a leak of confidential information (for example, if business documents are synchronized with a folder on the offboarded employee’s personal computer). Whether the employee deliberately retained this access to steal documents or it was just plain forgetfulness makes little difference. Either way, such a leak creates long-term risks for the company.
  • If the departure was acrimonious, the offboarded employee may use their access to inflict damage.

Additional headaches: staff turnover, freelancing, subcontractors

Keeping track of SaaS systems and shadow IT is already a handful, but the situation is made worse by the fact that not all company offboarding processes are properly formalized.

An additional risk factor is freelancers. If they were given some kind of access as part of a project, it’s extremely unlikely that IT will promptly revoke it — or even know about it — when the contract expires.

Contracting companies likewise pose a danger. If a contractor fires one employee and hires another, often the old credentials are simply given to the new person, rather than deleted and replaced with new ones. There’s no way that your IT service will know about the change in personnel.

In companies with seasonal employees or just a high turnover in certain positions, there’s often no full-fledged centralized on/offboarding procedure — just to simplify the business operation. Therefore, you can’t assume they’ll perform an onboarding briefing or operate a comprehensive offboarding checklist. Employees in these jobs often use the same password to access internal systems, which can even be written on a Post-It right next to the computer or terminal.

How to take control

The administrative aspect is key. Below are a few measures that significantly mitigate the risk:

  • Regular access audits. Carry out periodic audits to determine what employees have access to. The audit should identify accesses that are no longer current or were issued unintentionally or outside of standard procedures, and revoke them as necessary. For audits, a technical analysis of the infrastructure is not enough. In addition, surveys of employees and their managers should be carried out in one form or another. This will also help bring shadow IT out of the shadows and in line with company policies.
  • Close cooperation between HR and IT during offboarding. Departing employees should be given an exit interview. Besides questions important for HR (satisfaction with the job and the company; feedback about colleagues), this should include IT issues (request a complete list of systems that the employee used on a daily basis; ensure that all work information is shared with colleagues and not left on personal devices, etc.). The offboarding process usually involves signing documents imposing responsibility on the departing employee for disclosure or misuse of such information. In addition to the employee, it’s advisable to interview their colleagues and management so that IT and InfoSec are fully briefed on all their accounts and accesses.
  • Creation of standard roles in the company. This measure combines technical and organizational aspects. For each position and each type of work, you can draw up a template set of accesses to be issued during onboarding and revoked during offboarding. This lets you create a role-based access control (RBAC) system and greatly simplify the work of IT.

Technical measures to facilitate access control and increase the overall level of information security:

  • Implementing Identity and Access Management systems and Identity Security The keystone here would be a single sign-on (SSO) solution based on a centralized employee directory.
  • Asset and Inventory Tracking to centrally track corporate devices, work mobile phone numbers, issued licenses, etc.
  • Monitoring of outdated accounts. Information security tools can be used to introduce monitoring rules to flag accounts in corporate systems if they have been inactive for a long time. Such accounts must be periodically checked and disabled manually.
  • Compensatory measures for shared passwords that have to be used (these need to be changed more often).
  • Time-limited access for freelancers, contractors and seasonal employees. For them, it’s always best to issue short-term accesses, and to extend/change them only when necessary.

#Measures #protect #data #employee #leaves

How SMBs can effectively protect their networks from cyberthreats – without breaking their security budgets

Recently, I participated in a training exercise where a team of hackers (the red team) simulated an attack on an organization’s infrastructure, and a team of Cyber experts (the blue team) was tasked with responding to the incident and restoring normal operations. As the red team inflicted its initial attack, the blue team jumped on their monitoring tools and detection technology, scrambling to quickly quell the threat and fend off the attackers. Their natural response was to put up one obstacle after another, rapidly trying to shield their infrastructure from harm: for example, shutting down ports that were being targeted by attackers or disabling admin accounts that the red team was trying to compromise. Unfortunately, in this process, the blue team would also block legitimate and essential traffic on ports, or shut down systems driven by admin accounts, effectively disrupting their organization’s ability to operate – even before the attackers had accomplished this with their tactics.