Cybersecurity professionals agree that no organization can be 100 percent secure 100 percent of the time. The question is, how do you thwart cybercriminals most of the time, and how do you limit the damage if they do get in?
The answer: layers.
One of the primary values of your computer network is the ability for employees to access resources across the network. Not surprisingly, this is also one of its greatest security weaknesses. The risks are compounded if co-ops don’t actively limit access to their most critical data and systems.
“If everyone has the ‘keys to the kingdom,’ then every access point to the network becomes a liability,” says Cynthia Hsu, NRECA’s cybersecurity program manager.
Experts recommend a combination of people, processes, and technologies to ensure that employees can reach the data they need, but only the data they need. The process, Hsu says, begins by determining what is valuable, where it’s located on the network, and how it’s accessed. Then decide who should be able to get to these assets, and create layers of defenses to limit access based on job responsibilities.
Known as a defense-in-depth strategy, possible layers of defense include:
- Establishing policies and using technology to enforce the principle of “least privilege;” no user should be allowed administrative or general access to assets and systems on the network unless it’s absolutely needed to perform their job;
- Establishing policies, training staff, and using technology to ensure someone is who they say they are. This includes using strong passwords, updating passwords at least annually, and implementing a two-factor authentication program;
- Using technology to limit unnecessary communications between desktops, laptops, mobile devices, printers, routers, servers, workstations, and other devices;
- Creating separations in your network using internal firewalls or demilitarized zones (DMZs) between critical systems/assets and less-critical systems/assets;
- Using technology to detect threats and filter incoming files to prevent them from reaching end users;
- Regularly patching computers, network equipment, and substation devices and equipment.
Hsu says deploying strong network defense techniques can be disruptive, particularly if employees aren’t supportive of policy changes that limit their access to the internet or certain files or drives. They may question why they’re no longer allowed to download software directly, or why they have to install security systems onto their mobile phones.
Cybersecurity Insert Featured Stories
Main Story: Cyber Cooperation
Defense in Depth: Who Should have Access?
Human Resources’ Role in Cybersecurity
Defending Your Co-op’s Network: Options and Resources to Help
Taking Stock: A New Tool to Assess Cybersecurity