Reactive vs. Proactive Cybersecurity

The government is taking on cybersecurity matters with gusto and leading the charge with some pretty heavy hitters like Amazon, IBM, Apple and Google. Not to mention, the latest cybersecurity initiative involving the private sector follows two mandates addressing the improvement of cybersecurity of the federal government and enhancing cybersecurity measures of critical infrastructure.

It’s the momentum that the cybersecurity industry loves to see. The government is funding billions of dollars, as well as loads of attention and awareness, to proactive cybersecurity matters and mandating big businesses, like critical infrastructure and supply chain organizations, to level up their security game. What’s not to love about that?

The truth is there is a lot to love. National cybersecurity is a subject that needs and deserves funding, awareness, and attention because we’ve seen the expansive implications of not having secure networks, systems, and data. However, this momentum came at a slight cost – the price of being reactive rather than proactive in prioritizing cybersecurity.

Now to those in the cybersecurity space, it seems logical (and critical) that major enterprises like Colonial Pipeline, JBS, and Kaseya should have proper protection for their critical assets, networks, and systems. But cybersecurity is not known for being prioritized in an enterprise’s operational strategy like other line items such as production and volume. This reason (and due to the international criminal gangs who are responsible for wreaking havoc on America’s cybersecurity) is why the government had to make proactive cybersecurity a priority.

A Proactive Cybersecurity Approach

It makes sense that the government is now putting mandates in place around cybersecurity. Sometimes you don’t know how to solve a problem until the problem occurs, and you’re able to learn from past mistakes. But it does make you ask the question, “Is there a way this could’ve been avoided?” “Was there a way to proactively protect against these threats – threats that these organizations didn’t even know existed?”

The short answer is yes. But the long and honest answer is that, as a best practice, all companies should have comprehensive cybersecurity measures in place that address security gaps and vulnerabilities in attack surfaces, but due to under-resourced, underfunded or understaffed teams, many organizations will opt to put their time, money and resources into other areas – not cybersecurity – especially when the “It won’t happen to me” mentality is highly persuasive.

The good news is we can take these new precedents outlined in the recent White House mandates as guideposts for what can be done to proactively get in front of cyber threats. Let’s look at some of the ways your organization can take proactive cybersecurity measures:

Evaluate and assess current security protocol.

It might seem arduous, but reviewing current cybersecurity protocol and identifying areas of weakness is an essential start of taking a proactive security approach to protecting against cyber threats. This helps you inventory the problems that need to be addressed and act on securing the gaps before those vulnerabilities get discovered and exploited.

Identify all critical access points.

When we say “critical access points,” we’re talking about all the digital doorways that lead to sensitive systems, networks, infrastructure, applications, and data, such as account logins, VPN connections, or other remote management solutions. Critical systems, networks, data, etc. are some of the most valued assets in an organization, and they happen to be what hackers want most. It’s important to take a look at all the entryways from which an employee, customer, or external third party could access those critical systems and make sure that access is locked down.

Secure all critical access.

Speaking of locking down access, one of the best ways to secure systems that hold sensitive and critical data is by restricting access to that data. Those systems might be accessible by all kinds of users. Restricting each user’s access starts with implementing least privileged access and a zero-trust security model. This involves taking a look at who has access to these critical assets and restricting access privileges down to only what a user needs (and nothing more) – whether that’s down to a certain time period or down to certain areas within the system. For example, a government employee who needs to access the criminal justice information database might only need access to that sensitive information for a certain period of time, so you can restrict their access from 9am – 5pm. Or, if that employee only needs access to a subset of information in the database, you can restrict access privileges to only that part of the database – not the entire criminal justice information system.

Monitor user activity.

Even before an attack occurs, your organization should be monitoring all user activity and keeping track of access rights. When you let employees, customers, third parties, etc. onto any part of your networks or systems, you should be monitoring their behavior to ensure they’re only accessing what they should and using their access rights to do their job function. Reviewing user access rights on a regular basis is also a highly recommended best practice to get rid of expired accounts or shut down access for users who no longer need it. This is a good habit to get into for several reasons:

1. If you’re in a regulated industry, compliance regulations often require audits of user activity and user access rights. If you’re already tracking these things, you’re one step ahead in meeting compliance requirements.
2. If a data breach occurs, you have the tools in place to trace the suspicious activity back to the source, which could save you time on investigating the incident and save you from any lost revenue due to downtime or a delay in productivity.
3. It helps minimize the risk of “access creep.” Access creep is someone who was granted access to a system and gradually accrues more access over time as they need it, but the access they don’t need is never taken away. Let’s say a government employee is granted access to a county’s financial records to do her job. The next year, she needs access to the patent database, so she’s granted permission to access that system. A month after that, she gets promoted to a job where she no longer needs access to financial and patent records, but she does need access to the criminal justice information system. She’s accruing access rights, but her old permissions aren’t taken away. This is access creep – something regular user reviews can avoid.

The recent government mandates support major cybersecurity efforts like zero-trust architecture, authentication methods like multi-factor authentication, documenting and auditing third-party network activity, and incident response plans. It’s the kind of wake-up call organizations need – especially big organizations like critical infrastructure and supply chain enterprises. Even though these mandates came as reactive responses to major data breaches, businesses across all industries can start implementing the practices encouraged in the mandates as proactive cybersecurity approaches to keep their critical systems safe.

This article originally ran on GovTech.