As I suggested in a previous post, understanding cybersecurity is essential to effectively managing an employer’s risk. The upshot: employment lawyers must talk to CIOs. To do that, we’ll need to know a thing or two about the subject matter at hand.
The Basics of Insider-Related Cybersecurity
The Department of Homeland Security identifies six core elements for preventing insider-related cyberthreats:
(1) Collect and Analyze (understanding and auditing your network)
(2) Detect (monitoring network traffic and data usage for sign of attack )
(3) Deter (raise the cost of initiating an attack)
(4) Protect (repel an attack)
(5) Predict (anticipate threats)
(6) React (reduce opportunity, capability, and motivation for the insider)
I would add two more core elements to this list: Plan (in order to improve reaction times to breaches) and Re-Assess (continually update all of the core elements).
As DHS notes: “[e]xisting security tools for detecting cyber attacks focus on protecting the boundary between the organization and the outside world….they are less suitable if the data is being transmitted from inside the organization to the outside by an insider who has the proper credentials to access, retrieve, and transmit data.” This can be intentional or non-intentional (as even non-malicious insiders can do a great deal of damage should they succumb to any number of scams designed to get them to punch holes in an employer’s cybersecurity).
Critical Security Controls
Turning from the theoretical to the practical, these eight elements need to be combined with an understanding of the cybersecurity techniques that have the greatest impact upon improving an entity’s risk posture against real-world threats. Examples of such practices can be found in the Council on CyberSecurity’s Critical Controls for Effective Cyber Defense and are worth reviewing closely.
- 1: Inventory of Authorized and Unauthorized Devices
- 2: Inventory of Authorized and Unauthorized Software
- 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- 4: Continuous Vulnerability Assessment and Remediation
- 5: Malware Defenses
- 6: Application Software Security
- 7: Wireless Access Control
- 8: Data Recovery Capability
- 9: Security Skills Assessment and Appropriate Training to Fill Gaps
- 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- 11: Limitation and Control of Network Ports, Protocols, and Services
- 12: Controlled Use of Administrative Privileges
- 13: Boundary Defense
- 14: Maintenance, Monitoring, and Analysis of Audit Logs
- 15: Controlled Access Based on the Need to Know
- 16: Account Monitoring and Control
- 17: Data Protection
- 18: Incident Response and Management
- 19: Secure Network Engineering
- 20: Penetration Tests and Red Team Exercises