The three pillars of cyber security protection which are identity, privilege and asset management – won’t ever lose importance. They have remained inalterable for the past few decades. However, other IT security suggestions have not been as deep seated, and have instead evolved to reflect changes in the threat landscape, the onset of new technology tools, or updated insights based on better data.
But not everything new is shiny and not everything old is broken. So, which recent security policies should you and your employees give up? And how do you get a workforce to unlearn habits which they may have just spent time learning?
Downloading software from application stores
Most commercial applications are only accessible directly from the manufacturer, but modern applications, such as Microsoft Office, are usually available direct from the Application Stores for Windows and MacOS.
While downloading applications right from the source indeed has its benefits, such as a slightly heightened reassurance that the software has not been altered, installing them from an application store has its pros too; compatibility issues will have been addressed, as well as updates being available automatically, making this option more appealing.
For example, if an organisation downloads Microsoft Office 365 from the MacOS store, they can feel confident that an update will deliver both security and feature updates. Additional screening provides the peace of mind that the software has not been altered and changed, which makes authorised app stores more viable an option for software delivery.
Frequently changing passwords is not all that secure
Did you know that the US National Institute of Standards and Technology actually advises against changing personal passwords frequently? Instead, the suggestion is to change a password only in the event of a known theft or compromise. It turns out that imposing password changes on people for their personal accounts is actually counterproductive, as people tend to just choose memorable passwords, and repeat the same ones across accounts. In the event that they do try to use unique passwords, they often forget them given the frequency of change, and get locked out of their accounts.
So, frequently changing passwords does help mitigate password re-use attacks, but the way that humans practice it, has an undermining effect to overall security. However, for privileged accounts, shared accounts, and application and service accounts, the same rule does not apply. It’s important to emphasise that privileged credentials should be rotated after every use, especially for the most sensitive accounts in the organisation. Even in smaller businesses, this can best be achieved with a commercial privileged password management solution, which can scale security workflows and automate password security.
Reversing what has been learnt at a corporate training session
Unless employees are part of the IT security department of an organisation, it is unlikely that they will be aware of the implications of new technologies, such as the widening attack landscape and evolving cyberthreats. Because of this, it is not a surprise that 64 per cent of organisations believe they have either definitely or possibly had a breach due to employee access. As such, it is common for organisations to run cybersecurity training for their workforce, or send out emails that warn employees about the latest phishing exploits. Sometimes, just from missing a session however, employees might retain outdated information for years, and once something is learned, it is hard to unlearn. How can employers encourage their staff to learn new best practices?
A good strategy when training employees, is clearly outlining the changes that have been made to existing policies and which old practices should be replaced with new security best practices. Teaching people something that contradicts what they knew before has the potential to breed confusion and frustration. If employees are also aware of why a change has happened, this aids in the likelihood that they will remember to enforce the new rule.
For example, the recommendation for phishing attacks has always been to not click on an embedded link in an email, but there are many applications that do embed links that cannot be accessed directly. Despite this, standard security training will educate employees to always inspect the URL for HTTPS and domain names. As training material is updated, it is important to note that when exceptions do arise, they can be remediated, otherwise you will leave employees wondering “which best practice should I follow, and which is now obsolete?”.
Ultimately, implementing the use of outdated security practices often causes more harm than good to an organisation. By breaking up with obsolete behaviours however – such as downloading straight from the vendor, frequently changing passwords and presenting everything that is taught at a training session as final – organisations can then replace them with up to date security practices. Only this way can the network be best secured and protected from looming cyberthreats and the cybercriminals behind them.
Brian Chappell, Senior Product Manager, BeyondTrust