Prioritizing Cybersecurity During Organizational Change
The times, they are a changin', as Bob Dylan would say. It's a time of a lot of global change, leading to dramatic shifts in different industries. Organizations have to be agile and change along with it, all while keeping cybersecurity top of mind.
New changes mean new attack vectors
One thing that comes with new changes are new attack vectors. That's why organizations need to stay vigilant during dynamic times. These changes can include:
Acquisitions
Every time a company merges, transitions assets or migrates applications, it's time to stay on high alert. Organizations need to make sure they don't lose key security personnel familiar with the old systems. Institutional knowledge proves invaluable when configuring assets in unfamiliar terrain. Additionally, while acquisitions are often very public events, with announcements of this exciting news, it also makes them a tempting target. Attackers can essentially get a news alert that thy can more easily slip between the cracks during this time of transition in which there is a flurry of activity, such as the switch from one platform or ecosystem to another.
Ears should also perk up every time a domain shifts or a new user is added, as common as those things seem. This is when privileges and permissions are being set. It is important to implement the principle of least privilege and ensure they are in the right access groups using role-based rules with an identity governance framework.
Reductions in Force
Identity and Access Management (IAM) tools are key pieces of any organization's security stack. However, the IAM oversight doesn't stop at the door. Done right, it should see employees out the door as well, especially in times of severe lay-offs and reductions in force.
Offboarding can be an emotional event and a time of significant potential risk from ex-employees. Cybersecurity best practices require that knowledge-worker access to valuable accounts needs to be unilaterally revoked upon exit. This includes access privileges to data, software, information, emails, and more. Whether on purpose or by mistake, former employees can wander back into familiar company territory – Salesforce, Google Drive, Outlook – and cause damage.
When it comes to reductions in force – especially on a large scale – policies for deprovisioning are a must. Companies can even offload this to a managed service provider or rely on automation, but this step can't be missed to ensure the safety of an organization.
Adding Assets
Implementing new assets into your organization is another key time that security gaps can open up.
There is a risk of misconfiguration with new deployment, and a chance that the misconfigured asset won't get revisited for a long time, at least not in a security sense. Teams also need to take into account how the asset is incorporated into other parts of the environment. This melding could also cause unforeseen security issues, like when new IT mixes with old OT in critical infrastructure sectors. Every new connection creates a new attack vector, and each needs to be taken into account.
Shadow IT is another big example. Departments can download an application for easy use but fail to report the acquisition to IT. That means the proper keys, key management, and security oversight haven't been applied to the application, making it a walking liability.
Maintaining Visibility During Organizational Shifts
Ultimately, even small changes can disrupt the stasis of an IT environment, so it’s no surprise that large changes can greatly disrupt operations. It’s unrealistic to expect these shifts to be without issues, but the important thing is that the organization remains as secure as possible before, during, and after the dust settles. But unless you know what’s going on during these transitions, it’s impossible to spot potential new security weaknesses. Luckily, there are several approaches a company can take to improve visibility.
Vulnerability scanning
No matter where you are in your transitional process, a vulnerability scan can help you get a visual on all your assets and how they might be at risk. These provide an ongoing picture of organizational security and can alert you to a sudden area of concern – say you merge with a different department and your post-vulnerability scan shows a 35% spike in latent vulnerabilities from the scan you performed pre-merger.
It also forces companies to perform an asset inventory, because you can't scan what you can't see. This audit is a good rule-of-thumb anytime something changes within organizational structure, as moving is always a time when boxes get lost. Taking account of department or company assets both before and after the transition is key for spotting the differences. Then, a final vulnerability scan after all resources are accounted for is the next step.
Pen testing
Once all the vulnerabilities have been found, companies in transition should then see which are the most dangerous and which pose a real threat. This is done through offensive security measures such as penetration testing.
A pen test can not only vet the vulnerabilities, but also check for misconfigurations. This can be done in-house or by an external agency. While in-house testing is convenient, external pen tests can provide a fresh set of eyes to uncover new issues. External pentesting can also give companies access to a team of pen testing professionals that make it their business to be on top of the latest trends, vulnerabilities, and attack methods.
Retesting before and after adding assets is key to checking for new security gaps. What was safe before might not be so secure now that two systems, departments, or companies have mixed.
The Best Time for Cyber Vigilance
A time of transition might be when organizations are tempted to think about cybersecurity the least. But it is when cybercriminals are thinking about it the most. They are well aware of the difficulties involved in merging systems and how it increases the likelihood of misconfigurations and other new attack vectors. They also know that this is when your guard is the mostly likely to be down – access may be more easily granted because teams are too busy to revoke privileges just now, which also gives wide berth for access given to new employees before final decisions are made. A good rule-of-thumb is to stay on the safe side during this time – you can increase privileges, permissions, and access later.
Understanding beforehand that transitions are a time of more, not less, cybersecurity risk makes a huge difference in security culture, buy-in, and results. Teams will be a bit more cautious. SOCs will be on high alert. And cybercriminals will find they're no longer ones most interested in cybersecurity when it's time for organizational change.
What entry points are putting your organization at risk?
Whether or not you're undergoing change, find out more about proactively finding and closing security gaps with our guide, Managing Your Attack Surface.