How Enterprises Can Fortify Cybersecurity ‘Weak Links’
The recent LexisNexis breach highlights the need to go “back to basics,” one expert says.
Sign up to get cutting-edge insights and deep dives into innovation and technology trends impacting CIOs and IT leaders.
Hackers are getting better at finding the cracks in our armor.
Last week, data-broker giant LexisNexis disclosed a breach in which hackers obtained the personal data of more than 364,000 people. The records included names, birth dates, phone numbers, addresses, emails, Social Security numbers and drivers license numbers. Though LexisNexis has revealed little about the attack, the hacker was able to access the information through the company’s GitHub account.
The attack highlights the need for enterprises to “go back to basics” to protect themselves properly, said Rob Hughes, chief information security officer at security firm RSA.
Though enterprises can bulk up their cybersecurity measures in many ways, many often forget fundamental digital hygiene, such as strong credentials and multifactor authentication. The incident is also a “great case for zero trust,” or the idea that no user or device within a network is trustworthy by default, Hughes said. “You want to make sure your identity is in good shape.”
Cybersecurity Triad
Maintaining strong cybersecurity requires strengthening the defenses of a “triad” of systems, said Hughes: Identity operations, device enrollment and help desk. “If you don’t have good controls around all three of those things, then you’ve got weak links in your chain.”
- For example, while multifactor authentication could limit breaches on the identity side, bad actors may attempt to impersonate employees to infiltrate an organization through its help desk, Hughes said.
- These actors can also sneak in with new device enrollment, or when employees are onboarding to an organization, he added.
- “There’s a push more towards that social engineering aspect of how you can get in and break that chain,” Hughes said.
Social engineering is why the weakest security links in an organization are often its people, Hughes said. Teaching employees to remain cautious and having protocols to fall back on when approached with imposters or difficult scenarios could mean the difference between avoiding and falling victim to a devastating breach. “That’s how social engineering works,” he said. “They feel like they’re rushed, or someone’s putting pressure on them.”
“It all comes down to the culture,” said Hughes. “Not every company has that backdrop or expectation of secure by default.”
Recent News
-
Saket Srivastava, CIO of Asana. Photo via Asana. -
Photo via U.S. Patent and Trademark Office
-
How OpenAI Became a C-Suite Darling
Photo by Nik via Unsplash
