IT security: 3 areas to prioritize for the rest of 2022

Even in the last weeks of 2022, there are steps you can take to bolster your organization’s security. Consider this expert advice
1 reader likes this.

As 2022 winds down, it’s tempting to allocate all IT brain power and resources to 2023 planning. But it would be a mistake to assume that there are no remaining agenda items to address this year. The evolving cybersecurity landscape means new vulnerabilities and attack methods are continually emerging.

While combating these threats is undoubtedly a priority for the year ahead, here are three key areas that should be dealt with before you close the door on 2022.

1. Security concerns associated with the Great Resignation

The term “The Great Resignation” was first coined in 2021, and the workforce management trends it refers to have continued this year – and likely will in 2023 and beyond. We must address the socioeconomic problems, gender inequality issues, desire for greater work/life balance, and the other critical concerns raised.

At the same time, organizations must find a way to fill the productivity gaps introduced by the Great Resignation. Increasingly, enterprises are turning to external groups for help. Unfortunately, this practice can introduce new security vulnerabilities.

For example, if consultants use public or unsecured Wi-Fi for business, hackers can access the network. Ideally, encourage consultants to set up a Wi-Fi account to be used solely for their business, separate from the one they use for personal devices or other client work. Given their mobile nature, this is not always possible, but at a minimum, prohibit the use of public or unsecured networks. It’s also a good practice to require that consultants use their VPN to access files or systems if they are not physically in an office.

[ Also read 5 ways to embed privacy compliance into your culture. ]

If companies fail to frequently audit access policies to ensure that external groups can only access the systems they need, this is another avenue that hackers can easily exploit. It’s also essential to immediately cut off access after parting ways with a consultant and periodically confirm that former contractors no longer have access. Ensure an established timeline for auditing access policies – and never allow it to slip.

Addressing password hygiene is another critical consideration. According to the most recent Verizon Data Breach Investigations Report, over 80 percent of hacking incidents involved stolen credentials. And studies have repeatedly shown that at least 71 percent of people reuse passwords. If just one of the sites associated with a reused password has been breached, then all other accounts protected by that password are also at risk.

With workforce management challenges on the horizon for 2023, it’s essential to implement policies and procedures addressing the inherent security vulnerabilities of the Great Resignation.

It’s essential to implement policies and procedures addressing the inherent security vulnerabilities of the Great Resignation.

2. Exploring MFA weaknesses

Another critical IT security trend is hackers increasingly attempting to bypass multi-factor authentication (MFA). This has long been touted as a secure means of authentication – users must present two factors from independent categories of credentials to log in. But threat actors have found a way to get around this.

In August of this year, attackers guessed the password of a dormant Microsoft account and were able to apply their MFA to it, thereby gaining access to the victim’s network. This incident is just one example to underscore that threat actors are increasingly employing methods to bypass the second factor.

We can expect this to increase in the year ahead. All IT leaders should be cognizant of this threat and mandate additional protection around MFA to stay ahead of hackers. Do this by implementing strong device trust to limit or block access from unmanaged or unknown devices.

3. Adopting a risk-based viewpoint

Another item that should remain on your IT security agenda this year is shifting to a risk-based approach for evaluating business deals and vendor agreements. This could entail requesting data about the prospective partner or provider’s cybersecurity posture, event incidents, and cyber insurance coverage.

This approach helps organizations understand any cybersecurity risks posed by their partners and/or vendors so they can take necessary steps to ensure these don’t become an attack avenue for threat actors. Here are a few questions that can help you evaluate your relationships through a security lens:

  • Is the organization aligned with NIST, SABSA, or other security compliance frameworks?
  • Where and how is customer data stored, and is it segmented from company data?
  • Are security technologies such as firewalls, endpoint security, and asset visibility implemented?
  • What internal measures exist to address the risk of insider threats?

The answers to these questions will help determine the strength of a prospective vendor’s security foundation. Given the prevalence of third-party security incidents, always walk away if the responses are less than satisfactory.

Third-party risks are generally top of mind for IT and security teams but less so among other departments. As such, tech leadership must educate all stakeholders on viewing business relationships through a cybersecurity lens.

No substitute for planning

With just a few weeks remaining in 2022, addressing existing cybersecurity concerns is very important.

As the adage states, “There is no substitute for good planning.” Allocating time and resources to the abovementioned areas will give your organization a sure cybersecurity footing to navigate 2023’s new challenges.

[ Discover how priorities are changing. Get the Harvard Business Review Analytic Services report: Maintaining momentum on digital transformation. ]

josh_horwitz_enzoic
Josh Horwitz is an enterprise software executive and entrepreneur with more than 25 years of experience. He is currently the Chief Operating Officer at Enzoic. He was the founder of the cloud-based, enterprise customer-marketing platform Boulder Logic, whose clients included Microsoft, Siemens, Dell, and CSC.