According to the US Office of Management and Budget, federal agencies reported 30,899 cybersecurity incidents to the Department of Homeland Security last year. Threats are evolving across multiple vectors as the number of potential entry points expands exponentially with the proliferation of connected devices and the Internet of Things (IoT). IHS Markit predicts that the number of connected devices will increase from 15.4 billion in 2015 to 30.7 billion by 2020, and 75.4 billion by 2025.
Last fall, the Mirai botnet recruited connected devices such as webcams and DVRs to disrupt websites including Spotify, Twitter, and PayPal. Also last year, white hat security researchers demonstrated how to execute a ransomware attack on smart thermostats, and cyberattacks on the Ukraine electric grid have been carried out over the past two years.
Given this new world of connected devices and sensors, cyber hygiene can no longer be limited to basic endpoint security, firewalls, and dual-factor authentication. Public sector agencies need strong security strategies that fit into their organization’s broader digital plan.
Need to develop a cyber plan, but strategically
Cisco’s 2017 Annual Security Report found the majority (54%) of public sector organizations still take a project-based approach to purchasing security solutions. On the other side, public sector lags behind private sector in taking an enterprise architecture approach to cybersecurity purchasing – just 28% of agencies compared to 38% of private sector organizations.
This delta indicates that most public sector cybersecurity decisions are being driven by reactions to security incidents rather than by a proactive, strategic approach that’s part of a larger security plan.
Agencies that aren’t incorporating security into their IT strategy at the ground level are essentially playing checkers (reactive) when today’s environment requires you to be playing chess (preemptive). Truly effective cybersecurity requires an integrated, flexible architecture with an approach that balances all the elements – technology, processes, and people.
Embracing secure technology
Last year, NIST introduced Special Publication 800-160: Systems Security Engineering. The new guidelines emphasized that security must be engineered – built in – to IT software and connected devices from the beginning, rather than “bolted on” later.
Four aspects of systems engineering that would enhance security for agencies include:
- Designing IoT devices that force consumers to change the default passwords as soon as they are connected to the network
- Encouraging public-private partnerships among agencies and industry security providers to monitor for and stop unusual traffic among network devices
- Eliminating hardwired security credentials that could provide a “back door” to hackers
- Enabling remote updates and patches
But incorporating security technologies cannot be just an afterthought. Rather, security needs to be a part of the strategic digital plan rather than an impulse response to the latest breach.
Developing and refining processes
NIST’s revised 2017 Cybersecurity Framework notes its very definition of “risk management” is the “ongoing process of identifying, assessing, and responding to risk.”
The key phrase here is “ongoing process” – a continual journey of measuring, evaluating, and refining systems and protocols to ensure proper protection before an attack takes place. This gets to the core of the issue, that proactive cybersecurity is an iterative process of improvement rather than the mere execution of a checklist.
The approach agencies take dictates how security technologies and critical processes are implemented and adapted over time. Being proactive is imperative to limiting risk and responding to threats.
Put another way, effective cyber risk management requires an architecture that enables planning two-three moves ahead (chess) and provides flexibility to adapt, rather than a culture of simply responding to threats as they occur (checkers).
Don’t forget about the people
Among public sector respondents, Cisco’s 2017 Annual Security Report found that two of the top five hurdles to adopting advanced cybersecurity technologies related to people – organizational culture/attitudes about security; and lack of training personnel.
Agencies must focus not only on physical IT modernization through the procurement process, but also weave cybersecurity into the fabric of the organizational culture. No matter how extensive an agency’s security protocols, they are useless in the absence of proper training, buy-in, and active use by the employees themselves.
Cybersecurity is thought of as a technology issue, but at its core people still execute the attacks and develop defenses. New technology is great, but new thinking and strategy is equally as important.
The game of security should be one of chess, not checkers. With possible internal and external weak points abundant, public sector agencies need to be strategic instead of reactive with their security, creating an ongoing process that fits into their organization’s broader digital plan. There’s a lot to think about with finding the right security technology, the right security procedure and onboarding the entire agency to understand how security should be viewed. However, if an agency has a security-first mindset that sees security as an enabler, then it will be able to embrace the best security strategy for its digital future.
Will Ash is Senior Director of Security, U.S. Public Sector, for Cisco.