October is Cybersecurity Awareness Month and this year’s theme is “It’s easy to stay safe online.” Some folks might disagree and feel overwhelmed by the plethora of vulnerabilities, threats actors and data breaches that litter the headlines.
But there are plenty of simple things you can do to keep yourself, your data and your company safe online. Over the next few weeks the Reciprocity® Technical Product Management team will regale you with true stories from our careers and provide real world examples of how you can stay safe online.
A Bit About Me
After graduating from college with a degree in Management of Technology, I began to search for my first “real” job. I, like many, took the approach of throwing spaghetti against the wall – I applied for as many jobs as I could that were tangential in any way to my major. I remember driving to one interview thinking, this is the job I am least qualified for but I’ll give it a shot. Sure enough, that was the one that stuck. A few weeks later I began my career as an IT Auditor for an insurance company.
I learned a lot from my time there including the basics of internal audit, the value of log correlation and the camaraderie that comes with hours in the “war room” with stakeholders.
After an MBA, a move across the country and 2 children, I accepted a role leading the audit function at a credit union. This was my first exposure to security compliance and risk management. I quickly learned what PCI compliance meant and the various mechanisms we needed to maintain in order to satisfy those requirements.
But the longer I worked there, the more interested I became in the actual security controls-how do we implement them and how can we make them better. I decided now was the time to make a change. On a leap of faith, I applied for a Lead Information Security Engineer position and got the job.
Lessons From a Lead Information Security Engineer
Prior to starting at this new company, they underwent an external security review that documented a lengthy list of improvements. From removing developer access to production to implementing multi factor authentication – needless to say, I had my work cut out for me.
But the biggest issue I saw was their access control. Their corporate wide ERP platform was deployed without any access restrictions. Any employee could log in and see ALL OF THE DATA! This included every employee’s personal information and salary. Yikes! Clearly they didn’t take a risk-first approach to their technology decisions.
Think of your network and systems like your home. You wouldn’t hand out keys to everyone in your neighborhood. You would look at the necessity of that person needing the key and the risk associated with giving them the key. So why would you open up access to your critical data to everyone in your company? In their defense, it was an oversight by the project deployment team which brought up a whole different list of issues to address.
Ensuring Proper Access Control
Over the 3 years that followed, I took painstaking steps to reducing those gaps and aligned our organization with ISO 27001. Part of that process included deploying Reciprocity ZenGRC® to monitor our growing list of requirements, assess controls, track findings and implement a risk management program to ensure oversight of all projects and technology deployments. I’m proud to say that we passed our stage 1 and 2 audits without zero findings and obtained our ISO 27001 certification. It was one of the proudest moments of my career.
But access control isn’t just critical to businesses, you can utilize the same concepts in your real life. If you’ve ever shared your Netflix password, then you know the risk that comes with open access. So whenever possible, be sure to only grant permissions on a “need to know” (or “need to watch”) basis.
Happy Cybersecurity Awareness month! Look for more stories from our Technical Product Management team throughout the month that can help you stay safe out there!