Security Starts with Control: Keeping Hackers Out and Trust In
Editor’s Note: As cybersecurity threats become more sophisticated, organizations must adopt a multi-layered approach to safeguard their data and operations. This article highlights critical insights shared at the 2024 NetDiligence Cyber Risk Summit, focusing on access control, employee training, and multifactor authentication (MFA) as critical elements of an effective defense strategy. Drawing on the expertise of Kevin Golas, Managing Director at HaystackID, the piece explores why limiting access to essential information is paramount and how training programs can help employees remain vigilant. Golas also emphasizes the need to adopt MFA before a breach occurs, as it serves as a vital safeguard against account compromises. Readers will get actionable recommendations to help align their security efforts with evolving risks and compliance requirements, ensuring they stay one step ahead of cybercriminals.
Security Starts with Control: Keeping Hackers Out and Trust In
By HaystackID Staff
Security controls are more than just technical mechanisms—they form the backbone of an organization’s defense strategy. From firewalls to multifactor authentication (MFA) and access policies, these measures act as gatekeepers and safety nets, minimizing the chances of a breach and mitigating impact when incidents occur. But beyond technology, security controls ensure that businesses can operate confidently amidst ever-changing threats, enabling compliance with regulations like GDPR and HIPAA and safeguarding customer trust. No organization can afford to neglect these controls—doing so exposes them to the cascading consequences of cyberattacks, from financial losses to irreversible reputational damage.
During the NetDiligence Cyber Risk Summit in Philadelphia 2024, moderator Jason Glasgow, SVP at Allied World, asked an audience of cybersecurity experts a pressing question: What is the single most important control a company can implement?
While half the audience highlighted employee training, Kevin Golas, Managing Director at HaystackID, offered a different view—prioritizing access control as the most critical security measure.
“While training is important, access control is the number one [priority] for me,” said Golas. “Hackers always look to escalate privileges. If you put controls around access to critical information, it reduces your risk.”
Why Grant Control to 50 People When 5 Suffices?
Access control is not just about limiting access but ensuring the right people have the right permissions at the right time. Often, companies grant blanket access to new hires within departments to streamline onboarding, resulting in unnecessary exposure.
Golas explained in a recent interview: “If an entry-level engineer joins your company, they shouldn’t have access to every stage of your product development cycle. If five people need access, don’t grant it to 50 [people].”
This over-permissiveness introduces vulnerabilities, especially when employees with excess privileges leave the organization. Access control is not intended to restrict efficiency but to protect data. Without it, sensitive information becomes an easy target for cybercriminals.
Consider the scale of the problem:
- Cyberattacks happen every 39 seconds.
- A data breach in the U.S. costs companies $9.4M on average.
- Cybercrime is projected to cost the world $10.5 trillion by 2025.
Adhering to proper access protocols mitigates risks while ensuring compliance with regulations like HIPAA and GDPR.
Golas aptly noted, “If I don’t have access to data, I can’t become a liability to bad actors who desperately want that information and will go to great lengths to get it.”
Employee Training: Not Second Fiddle, But a Necessary Layer of Defense
While Golas stated access control was his number one priority, he underscored that employee training is indispensable in any comprehensive security strategy and shared protocols that HaystackID has in place to ensure employees are vigilant in identifying threats, including phishing simulations.
“Some phishing emails are incredibly convincing,” Golas explained. “Even as a cybersecurity expert, I’ve had to pause and scrutinize their authenticity. That’s the level of awareness we aim to cultivate across the company.”
At HaystackID, we embed security into our culture through monthly training sessions, thanks to the hard work and diligence of leaders like our Chief Technology Officer, Michael Cammack. These trainings are reinforced by targeted follow-ups that contextualize the training material within our operations. This approach ensures that cybersecurity becomes second nature to every employee at HaystackID to identify risks and proactively maintain our organization’s defenses.
When paired with robust access control measures, employee training creates a layered defense that strengthens our ability to prevent breaches and mitigate risks.
Multifactor Authentication: A Critical Pillar of Cybersecurity
Beyond access control and employee training, Multifactor Authentication (MFA) is a game-changing security measure. It goes far beyond being just an extra password; it adds a critical layer of protection. A Microsoft report found that “more than 99.9% of compromised accounts don’t have MFA, which leaves them vulnerable to password spray, phishing, and password reuse.”
“When I work with companies post-breach, one of my first questions is, ‘Do you have MFA?’” Golas shared. “More often than not, the answer is ‘no.’ Unfortunately, many organizations delay implementing MFA until after a breach—when it should be a non-negotiable from the start.”
Implementing MFA can drastically reduce vulnerabilities by making it harder for attackers to gain unauthorized access, even if passwords are compromised. However, the key to effective adoption lies in integrating it into the fabric of daily operations.
Some ways to get started with an MFA include:
- Prioritize High-Value Systems: Enable MFA on critical platforms such as email, financial applications, and other sensitive systems.
- Lead by Example: Have leadership adopt MFA first to set the tone for the rest of the organization.
- Company-Wide Rollout: Create a phased rollout plan to ease adoption and ensure all employees are supported throughout the transition.
As Golas emphasized, waiting until a breach occurs can be financially and reputationally costly. A proactive MFA strategy mitigates risks and sends a strong message to employees, partners, and clients about your commitment to security.
Tailored Cybersecurity Solutions for Legal Tech
In the legal sector, protecting data isn’t just important—it’s imperative. With companies handling sensitive information daily, HaystackID brings a unique edge by merging cybersecurity expertise with a deep understanding of legal technology.
“Many vendors excel in cyber but lack insight into legal-specific needs,” said Michael D. Sarlo, Chief Innovation Officer and President of Global Investigations and Cyber Incident Response Services at HaystackID. “We operate at the intersection of cyber and legal, leveraging innovative technology, data science, and seasoned experts to handle complex challenges efficiently.”
Through HaystackID’s Cyber Discovery and Incident Response Services, organizations receive comprehensive support— from identifying personal data exposure (PII/PHI) to addressing regulatory compliance during breaches. With solutions focused on data hygiene, HaystackID helps businesses reduce cyber risk while preparing for favorable cyber insurance outcomes.
Cybersecurity Starts with Control
Organizations face unrelenting pressure to guard against cyber risks. Prioritizing access control, adopting MFA, and fostering a culture of ongoing employee training equips businesses with a stronger defense.
Cybersecurity isn’t just about prevention—it requires consistent vigilance and tightly managed access to critical data.
About HaystackID®
HaystackID® specializes in solving complex data challenges related to legal, compliance, regulatory, and cyber events. Core offerings include Global Advisory, Data Discovery Intelligence, the HaystackID Core® Platform, and AI-enhanced Global Managed Review powered by ReviewRight®. Recognized globally by industry leaders like Chambers, Gartner, IDC, and Legaltech News, HaystackID prioritizes security, privacy, and integrity in its innovative solutions for leading companies and legal practices worldwide.
Assisted by GAI and LLM technologies.
SOURCE: HaystackID