Compliance as a Critical Business Enabler (podcast)

Security expert Kayne McGladrey, who serves as director of security and IT at Pensar Development and is a member of the Institute of Electrical and Electronics Engineers, said companies need to add extra steps to everything.

“The company could choose to add friction, whether it’s multi-factor authentication or an email link just to put a little additional scrutiny and raise the bar so it is materially more difficult for threat actors who have obtained someone’s credentials to be able to reuse those,” he said.

“The benefit of this strategy is that it applies universally. All of the automated attacks these days around credential stuffing and credential spraying do what the Yahoo hacker had done on a much larger scale. They get compromised credentials and test them across a whole bunch of websites using a distributed botnet.”

“Few companies had a binder marked `global pandemic,’ but many had policies that called for annual DR testing that they didn’t enact,” said Kayne McGladrey, CISSP and cybersecurity expert. “Teams play how they train, but not having table-topped crisis communications, DR, or IR hurt their responses.”

Fraud isn’t new, but the internet has provided hackers with the capabilities to easily use the threat vector to trick employees into providing access to their enterprises. Cyberfraud attacks, often distributed via phishing or spear-phishing campaigns, consistently plague and sometimes even completely disable enterprises. Despite the growing number of technologies available to detect and prevent such social engineering attacks from being successful, the weakest link remains human error — be it negligence, maliciousness or apathy. Here, Institute of Electrical and Electronics Engineers member Kayne McGladrey describes the types of cyberfraud attacks enterprises will inevitably face, from credential harvesting to typosquatting attacks. He also offers best practices for creating and instituting a cybersecurity awareness program to prevent employees from falling victim to such threats.

Kayne McGladrey (@kaynemcgladrey), security architect/strategy and GRC practice lead at Ascent Solutions, recommends following the Cybersecurity Maturity Model Certification 2.0, which was developed by the U.S. Department of Defense. It offers a framework that incorporates “Zero Trust tenets that will help companies maintain regulatory compliance and ensure that data are adequately protected against evolving threats from nation states and advanced persistent threats,” he says.

“Bob Gourley emphasized that despite the dark topic of cyberthreats, we all leave with optimism. Carol Tang addressed the importance of continuous learning as part of a business leader’s proactive approach to mitigating risk and providing safety for customers. Kayne McGladrey emphasized the dual responsibility of today’s corporate decision makers with regard to cybersecurity: understand the complexity but act with transparency and specificity. It’s important to integrate cybersecurity awareness into the fabric of the organization, not sequester cybertrust solely within the domain of technology.”

Over the past year and a half, school administrators, teachers, and IT support staff and students themselves have been working in a complex threat environment. The pandemic and major increase in cyberattacks has resulted in closures for both in-person and online schools. While this will only continue into 2022, it will be importance for security and IT professionals that support schools to align their policies, procedures, and technical controls to a cybersecurity framework that fits the needs of their organization, such as the recently announced K-12 resources announced jointly by the FBI and CISA. Using a formal framework can help schools effectively identify and mitigate gaps in school security postures without substantial budget increases. Schools should also consider a quarterly exercise to re-audit their password stores, as the number of compromised passwords will only continue to increase in the year ahead. A password that was secure three months ago may have appeared in a data breach (especially since students and adults tend to use the same passwords for multiple accounts) and may no longer be a secure option. Although it’s hard to predict what’s to come for educational institutions moving forward and future of remote and hybrid learning is going to be uncertain, education professionals should expect to see threat actors continue to target schools that have not taken a proactive approach to cybersecurity and deployed the appropriate defenses.