Unlike workers in other industries, most federal workers have largely conducted business within the four walls of their agency.
As government agencies comply with the COVID-19 quarantine guidelines and allow their employees to work from home, many IT and security leaders are uneasy. Unlike workers in other industries, most federal workers have largely conducted business within the four walls of their agency’s office under the close supervision of IT and security professionals. The pandemic ups the ante, as cyber criminals are not only trying to steal information and credentials, but they’re also deploying a dynamic mixture of attacks that spread misinformation and erode public trust.
With government agencies moving to remote work so quickly, it’s important to protect and support employees as much as possible through training, adoption and security initiatives. Rather than trying to deploy a comprehensive security strategy on the fly, government agencies should focus on three key areas: email-based attacks, malicious insiders and patch management.
Email is Cyber Criminals’ Favorite Channel
As federal, state and local agencies have become more reliant on email for day-to-day operations, cyber criminals have launched increasingly sophisticated attacks in this channel. Cyber criminals can impersonate high-ranking officials, business applications, third-party contractors or even charitable organizations to trick people into sharing credentials, delivering malware, or sending them money. Mailboxes are made vulnerable through risky behaviors, weak passwords, and a lack of multi-factor authentication.
Risky behaviors could include—but are not limited to—auto-forwarding to external email addresses, owning access rights to more than five other mailboxes, and accessing mailboxes of other departments. Monitoring employees’ mailbox practices can help IT and security teams better train employees and proactively secure sensitive information before anything bad happens. In addition, being aware of unusual email activity prevents targeted spam or social-engineering tactics common among today’s cybersecurity threats.
Threats Aren’t Just External
Data breaches are more likely to be caused by a current employee than a cyber criminal. This isn’t to say that everyone should be treated like a spy. Instead, IT and security leaders must understand that the likelihood of someone copying the wrong person on an email that contains sensitive information rises exponentially in a fully remote digital workplace.
A common assumption many agencies fall victim to is that IT personnel are inherently trustworthy and give these workers higher-level privileges than they need. However, as the phrase goes, “Who is watching the watchers?” Employees given too much access are often the source of breaches—and it’s not necessarily intentional.
The first defense against insider threats is using role-based access control to only grant privileges that are absolutely needed for each IT employee. For non-IT employees, such control used in conjunction with least privilege access policies could help agencies minimize risk and track who is accessing specific files to prevent inappropriate sharing of data and other malfeasance.
Patch Management Basics
Most successful breaches are against unpatched or legacy computers. Keeping device operating systems and applications updated is critical to establishing a proper cybersecurity foundation. Government workers’ devices are not always updated which is the equivalent of leaving the front door of a bank vault open and hoping robbers don’t steal money. Systems are only secure if they are patched and using up-to-date modern software, including operating systems. Keeping software patches and antivirus tools up to date requires that IT knows, and can validate, the configuration of desktop computers, laptops, and mobile devices, as well as the software that is installed and used by workers.
Mobile devices have the same concerns. During this crisis, many government-related employees working from home are using a variety of devices to connect to the corporate network to access the information they need for their jobs.
Government agencies aren’t likely to adopt a 100%-remote work policy but it’s not unreasonable to think that a “new normal” workplace culture for many modern businesses may emerge after the pandemic passes. Managing agencies’ security requirements with employee needs is a delicate balance but gets easier with experience. Government IT and security leaders should view the current environment of ‘forced’ remote work as a pilot to help in their larger digital transformation plans that are currently underway.
Michael Morrison is chief executive officer for CoreView.