Enterprise attack surfaces are constantly changing, driven by common pressure like costs of goods and services, shortened cycle times, increased transparency and a remotely located work force. Furthermore, there are more IT applications and interfaces that allow external parties like customers and vendors access to mission critical, sensitive data. According to Verizon’s 2022 Data Breach Investigations Report (DBIR), “partners” were the source of compromise twice as often as insiders. Application Programming Interfaces (APIs) and supplier-facing applications become new access points where a compromised supplier account can lead to the loss of integrity or confidentiality of sensitive data such as available inventory or trade secrets.
Add the Covid-19 explosion of remote working— which resulted in network and cybersecurity teams moving rapidly to adjust policy and network behavior, including rapid adoption of Virtual Private Networking (VPN) split tunneling. Remote work is not going away. A Flexjobs survey conducted between February 23, 2022 and March 7, 2022 showed that 77% of respondents chose remote work as the second highest compensation and benefit that was important to them. Cybersecurity teams must adjust the self-assessment models to accommodate remote worker, and the new points of entry from both business and personal devices, including mobile.
While we try to optimize the business systems to meet the changing need, the network is evolving to address the evolution of the enterprise, too. Hybrid and multi-cloud applications pressure reliability with low latency as cloud data centers take on mission critical applications and new points of entry across the entire enterprise. Network evolutions result in increased and different cybersecurity risks as we move from proven, optimized technologies like MPLS and the hardened data center.
Standards organizations’ foundations such as the National Institute of Standard and Technology’s Cybersecurity Framework (NIST CSF), European Union Agency for Cybersecurity (ENISA) and ISO’s 27000 family of standards as guidance offer common themes for successful cybersecurity: Write down your policy. Conduct risk assessments annually or when circumstances change. Validate controls using penetration tests.
Maintaining current, detailed documentation of cybersecurity procedures, and conducting in-depth self-assessments may highlight areas of vulnerability that require attention. When developing a self-assessment or audit process, ensuring executive support will help with adoption and compliance. Taking steps to educate employees, vendors, and anyone else who has access to a network entry point is a critical step in a successful self-assessment. Model different scenarios applicable to everyone concerned from the end-user to the cyber-specialist managing a companywide policy update.
When conducting a self-assessment, consider a best-practices model with help from a subject matter expert, then choose a tool applicable to the standards that meet your security policy. Consider supplementing and enhancing your policy if you find it does not address recommendations or best practices based on your discovery process. The self-assessment tool should be updated periodically to account for evolving circumstances and identify new gaps in controls. As a starting point, consider having an external assessment, prior to creating a self-assessment.
A common discovery in external assessments is controls that have lapsed or no longer work as intended or understood by the internal team. Bring these findings back to the self-assessment stage and integrate into the policy. Challenge security and network teams to ask deeper questions about:
- how will the controls be implemented?
- who is responsible for validating changes?
- What is the impact of changes on the intended function of the controls?
- What is process of testing the controls after changes are applied?
- What is the frequency of penetration testing to gain outside validation of the controls’ effectiveness?
In response to the US’ Shields Up, EU’s NIS (and shortly NIS2) and other governments issuing cybersecurity guidance, this is the time to conduct an updated security self-assessment. Think about the new cybersecurity paradigm and look critically at how prepared you are to address the new requirements. As your enterprise cybersecurity needs evolve, it’s important to consider that the in-house skill set may require more education, or assistance from a cybersecurity company who can help develop a comprehensive self-assessment that will scale to meet new challenges as they appear.