Agencies Need a New Cybersecurity Approach Following Breaches

In the past 90 days alone, several major attacks on federal agencies have made the news. Foreign state actors used anti-virus software to steal sensitive material on U.S. cybersecurity capabilities from one government agency, and another agency reported a breach that may have enabled hackers to trade on — and profit from — insider information.

Additionally, the 2016 Federal Information Security Management Act of 2014 report foundmore than 30,000 data security incidents last year. All of these developments underscore not only the critical importance of cybersecurity, but also that agencies need a different approach if they want to implement and maintain effective security.

Cisco’s 2017 Annual Cybersecurity Report found that the majority (54 percent) of public sector organizations still take a project-based approach to purchasing security solutions. This is a reactionary approach and addresses problems only after they occur. However, by establishing a proactive cybersecurity strategy, leaders can shorten time to detection, respond to security events faster and better mitigate the impact of a breach.

When bad actors attack, it’s to access specific types of information they want to exploit (such as classified documents or corporate data). Thus, agencies must first know what information they have, where it’s located on the network, how it’s normally used internally and externally, and how best to secure it. This process (risk assessment) is key to mitigating the risks associated with agencies housing valuable information.

Take Stock of High-Value Assets

So, what information do bad actors want from an agency?

Examples include Social Security numbers, intellectual property, research, healthcare records, student loan information, classified information and trading information — anything that can be sold for a profit to foreign or domestic agents of chaos. Bad actors are motivated by information that can be exploited for financial or geopolitical gain. Agencies must think like hackers and assess their information with an eye toward its value.

The relevant question becomes: Is the risk associated with that information worth an additional security investment, or is there room for risk management?

Establish How Data Is Shared and Used on Agency Networks

Once an agency has identified its most valuable information, it should then examine how that information is being used.

Is that data being shared among departments, within a specific group of employees, with anyone outside the agency? Is it stored within the network or in an outside cloud service? The answers to these questions will inform a baseline of normality that can serve to easily identify abnormal patterns.

Knowing how and by whom the information is being used can also help an agency identify potential vulnerabilities. For instance, if a certain employee group primarily accesses the information remotely, then the agency might consider improving its mobile security protocols. An agency’s risk assessment and risk tolerance will inform which policies and IT systems to prioritize, so it can better identify, contain and defeat attacks.

The Tools and Policies Agencies Need to Protect Themselves

To better protect their most valued information, agencies should:

• Use risk assessments to determine risk tolerance. Coordinate with industry experts to assist with assessing key vulnerabilities in the agency’s network.
• Minimize “shadow IT.” Work with IT and security teams to “bring into the fold” all stakeholders, integrating their own tools, devices and connections.
• Implement strategies to prevent unauthorized access, quickly identify and shut down breaches, and assess/minimize the damage.
• Use best practices to ensure both physical and digital security.
• Build in intelligence, integration, visibility and predictive analytics through automation and smart tools. Leverage lessons learned and best practices from industry, particularly from commercial entities with similar network profiles.
• Apply best practices such as device and traffic segmentation and use of a multitenant network infrastructure to isolate problems.
• Keep systems current.
• Educate everyone (employees, partners, vendors) about security practices and policies.

Additionally, agencies should ensure all valuable information complies with appropriate federal security regulations, whether that is regulations from the National Institute of Standards and Technology, the Health Insurance Portability and Accountability Act or cloud security regulations from the General Services Administration’s Federal Risk and Authorization Management Program.

For example, in June 2017 the Federal Trade Commission released new guidelines for how manufacturers should inform customers about device security, including whether and how devices can receive security updates.

Put the Right Cybersecurity Foot Forward

Finally, agencies should create a practical cybersecurity strategy that optimizes time and IT security resources.

The best way to do this is through an architectural approach that breaks down functional silos and engages the CISO to create a unified and policy-based security architecture across the agency.

First, ensure that agency stakeholders are aware of data security risks. Then, communicate the necessary policies to best mitigate these risks. This will ensure that all stakeholders see the same value in the agency’s information and understand the practical cybersecurity protocols.

Once an agency identifies its valuable information, understands how that information is used and pinpoints ways to protect that information, it can then execute against a cybersecurity strategy that proactively responds to security events and best mitigates the impact of breaches.

This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.