The information security industry had no shortage of moments that kept us all on our toes in 2017. Among the top headlines, we saw new variations of ransomware, such as WannaCry using cryptoworms to infect an estimated 300,000-plus computer systems in just four days. One of the largest credit agencies in the U.S. suffered a breach that affected over 100 million consumers and researchers uncovered a hardware-level vulnerability in processors, affecting nearly every computer released since the mid-90s.
For those who are unaware of the cyber-threats present all around us, many believe 2017 was a year that served as another wakeup call for what the digital world is up against. Others, who are already highly-aware of the threats we face, understand that while some of these attacks and discoveries proved to be highly sophisticated, cyber-criminals will continue to do what they do best – go after the path of least resistance.
Information Security leaders need to use this new level of awareness as an opportunity to implement some of the fundamental security controls that are no-brainers to an outsider, but require an extraordinary amount of coordination, support, and understanding from the business.
Patch management. It’s been one of the number one recommended security controls for as long as we can remember, but getting patch management right continues to be a thorn in the side of many security programs around the world. This can be due to decentralized IT, fear of breaking applications and systems, or the worst-case scenario – you still have systems in your environment that are no longer supported. Getting this fundamental process in place will save organizations an incredible amount of time and pain, as seen from attacks such as WannaCry and Not Petya in 2017. When you break out basic cyber hygiene, patch management should always be part of the conversation.
Cloud Security. If you don’t think your business is already operating in the cloud some way or another, you’re probably wrong. That said, if a strategic data-center cloud model is in place or in the works, security teams should be inserting themselves into that planning or build-out as early as possible. Moving to the cloud without a security strategy incorporated can be a disaster waiting to happen. Your cloud environment should truly be an extension of your data-center, and for many security teams, it’s a fresh opportunity to get it right from the start.
Email Protection. The old adage “if it’s not broken, don’t fix it” rings true for cyber-criminals as well. The fact is, sophisticated breaches may make it to the top of the news headlines, but criminals will continue asking employees for their credentials and information as long as they keep handing them out. Implementing a strong email security program, including DMARC, layered with stronger identity protection, such as two-factor authentication, will put organizations in a much safer place. Don’t forget about security awareness. Achieving a level of awareness that turns your workforce into security advocates (not professionals) should be the goal.
These are just three of the many strategies information security teams should have on their roadmap for 2018. Key initiatives, such as medical device security, increased network segmentation, vulnerability management, and user behavioral analytics are a few others that many programs remain zeroed in on as we move into the future.
Dan Costantino is the Chief Information Security Officer at Penn Medicine.