TribalNet 2024: The Top 3 Cybersecurity Takeaways
Over the past decade, Native American tribes and tribal enterprises have faced many of the same cybersecurity challenges as other organizations in both public and private sectors.
The main difference, according to Dallas Breckon, federal executive account manager at CDW, is that these challenges go underreported. This is particularly true for instances of ransomware.
“They are being hit much more often than you read about in the news, and some have had to pay out,” Brecken said.
At TribalNet 2024, IT tribal leaders and cybersecurity experts focused heavily on some of the most immediate steps that tribal organizations can take to improve their security posture.
1. Health IT Security Is Built into Path EHR
On average, a healthcare record is worth $60 on the dark web, compared with just $15 for a Social Security number. Consequently, healthcare organizations are in hackers’ crosshairs, and that includes providers who offer care to tribal communities.
According to Indian Health Service (IHS) CISO Benjamin Koshy, the rollout of PATH EHR will go a long way toward improving security for tribal health organizations.
“Our current version doesn’t really allow centralized management of security; it has to be done at the site level,” Koshy said after a session Wednesday morning. “With a cloud-based EHR, we can manage security and access level centrally, so it takes the burden off the site.”
This level of central oversight would allow IHS to more closely manage and audit user access, which means hospitals, clinics and other care providers no longer have to spend as much time on these tasks.
Still, Koshy urged attendees to use caution when sharing data with third-party providers and provided a laundry list of recommendations that align with zero trust security architecture.
“It’s important to understand how third parties are connecting to your network,” he said. “You want to assess how they are planning to access your system.”
He added that the IHS is eliminating permanent firewall rules and replacing them with timed rules to minimize the attack surface and encouraged healthcare organizations to follow suit.
EXPLORE: Identity access management is crucial for federal agencies.
Other key best practices he recommended include:
Implementing two-factor authentication for all vendors
Vetting any and all third-party IT technicians
Minimizing or eliminating unsupervised vendor access to networks
Implementing continuous monitoring for vendors as they access systems
Evaluating when and where vendors use cloud services, as FedRAMP requirements would not apply to those vendors
2. Cybersecurity Frameworks Are a Hot Topic
“Frameworks are in,” Elijah Cedeno, regional engagement manager at MS-ISAC, said during a session on Tuesday afternoon about security KPIs.
“You need one, but you don't have to recreate the wheel. Dive into a framework that aligns with your organizational needs.”
Cybersecurity frameworks are crucial for knowing what controls to put in place to enforce policies that keep organizations secure.
The National Institute of Standards and Technology’s Cybersecurity Framework and SOC 2 are some of the most common such frameworks, but there are others, and Cedeno suggested that organizations can use best practices such as the CIS Critical Security Controls to develop bespoke frameworks for their organizations.
“A lot of people conflate CIS best practices with a proper framework, and there are some differences” he said. “But you can use our controls to create a framework that you are comfortable with, as we are vendor agnostic, and framework agnostic.”
3. Cybersecurity KPIs Are Crucial to Improving InfoSec
MS-ISAC’s talk on Tuesday afternoon was primarily about the importance of using cybersecurity key performance indicators to measure success and better define the value of information security to higher-ups within tribal organizations.
“Cybersecurity is not a moneymaking machine,” said Brendan Montagne, engagement program manager at MS-ISAC. “So long as your cybersecurity program is working, nothing is happening.”
After polling the nearly 80 attendees in the room, panelists at this session found that 45% of respondents do not use KPIs to assist tracking and reporting of cybersecurity decisions. Only 14% said they do, while 24% said they partially do and 17% said they were unsure.
RELATED: These new threat metrics can help improve federal cybersecurity.
The solution to this lack of reporting is to create frameworks and policies, build out controls to enforce them and, crucially, identify KPIs for those controls.
For example, in the case of account management access control, security teams might report on the percentage of enterprise assets that can be accessed with multifactor authentication or on how many failed authentication attempts were documented.
“Thinking about ransomware, thinking about malware, all of these are things that could potentially cost money,” Montagne said. “That is what we're trying to convey to leadership as to why we need to actually spend money and spend dollars and cents on our cybersecurity program.”
Source - https://fedtechmagazine.com/article/2024/09/tribalnet-2024-top-3-cybersecurity-takeaways