'All your systems audit differently'
Cybersecurity requires commitment from management and skill development from IT.
Randy Romes offers three action items for combating the latest cyberthreats.
Romes, who is principal in charge for CliftonLarsonAllen’s information security services group, presented during a Tuesday breakout session at America's Credit Union Conference, held at Walt Disney World® Resort in Florida.
1. Configure system auditing and logging. “All of your systems audit differently,” Romes says. “You have to know what it is, you have to turn it on, you have to manage it.”
Information technology (IT) departments should understand and document all logging capabilities and ensure all systems are configured to log important information. He says many IT departments are simply overworked and don’t understand the audit capabilities of many systems. Logs should be retained for at least one year, though longer is better.
2. Audit systems for default/weak passwords. Romes says the weakest systems on most networks are printer multifunction devices such as scanners and surveillance cameras. Employee passwords should be at least eight characters with both upper- and lower-case letters, numbers, and symbols.
Credit unions should also provide their employees with password management software. “Employees are just asked to keep too many passwords today,” he says. “Management should make it as convenient as possible for employees.”
3. Test back-up systems. “Penetration testing is designed to validate that things are working the way that you expect,” Romes says. He also described the “so what” factor: If you do find an exception during penetration testing, ask “so what?”
It’s vital to understand the level of risk that vulnerability presents. Again, this requires diligence, training, and knowledge on the part of IT, as well as commitment from management, he says. Romes adds that organizations should do penetration tests at least annually or after any significant change.