Insight by Keeper Security

Zero trust requires securing the human element

For decades, cybersecurity meant securing data and endpoints from any number of threats. But what often got left by the wayside was the human element. The shift...

This content is sponsored by Keeper Security.

The federal government has undergone a seismic shift in prioritizing cybersecurity over the past few years. Not only has cybersecurity gained more attention across organizations, going from an IT problem to a whole-of-government problem, but the focus has also shifted. For decades, cybersecurity meant securing data and endpoints from any number of threats. The human element was not at the forefront for cybersecurity initiatives. The shift to zero trust is an acknowledgement of that.

Hanna Wong, director for public sector at Keeper Security, said Verizon’s 2021 DBIR found that 85% of data breaches involve the human element. The White House’s budget request outlines $10.9 billion in cybersecurity-related spending in 2023, including funding for agencies to shift toward “zero trust” security architecture, which reflects this emerging need for human-centric cybersecurity.

“Securing the human element is the zero trust tenet, ‘never trust, always verify,’” Wong said. “So particularly with a distributed workforce, federal employees and contractors are no longer within the castle walls, as they say; now they’re connecting to secure databases and mission critical data from networks with minimal or non-existent security. Needing to secure that element has been exacerbated by the pandemic. With employees working from home, or in a hybrid model, the necessity to continuously provide that zero trust requirement of identity and access in their network and workload is paramount.”

For example, Wong said, one of the recent ransomware attacks happened because a previous contractor’s credentials were never removed from the system. That’s part of what the Cybersecurity Maturity Model Certification requirements address and work to mitigate. Federal agencies realized the need for visibility into how contractors are handling controlled unclassified information. Phishing, compromised credentials and privileged access are some of the most common vectors for cyberattacks. Federal agencies needed to get more proactive.

That means former employees and contractors need to be removed from the system. All employees need to undergo phishing training. And multifactor authentication is one of the top best practices throughout industry, Wong said. It could resolve the risk of a lot of these data breaches.

“I like to emphasize that multifactor authentication can provide that preventative measure. But being able to enforce it is the big part. The visibility of who is adopting MFA is going to be very important for an agency,” Wong said. “There’s also monitoring the dark web. To securely monitor the dark web in tandem with the zero trust, zero knowledge requirements for credentials will further strengthen an organization’s security posture. Having that report live, knowing which employees are at risk, having automated security audits, knowing what credentials are out in the dark web or for sale, without ever compromising the actual credential itself, may be a huge difference in protecting the human element from those data breaches.”

One major challenge to implementing these measures is that government is often slower to adopt than industry. The risk tolerance in agencies is much lower, and the funding is more restricted. That adds up to less capacity to experiment than industry. But the silver lining is that government can benefit from industry’s investments.

But agencies have to be willing to learn and adopt those methods. That requires a behavioral and cultural shift, a rethinking of how employees and contractors have access. It’s going to take a shift in how they verify. If you make it difficult to adopt, they won’t do it; agencies have to ensure that new verification technology is easy for all users.

One thing that can help promote adoption is real-time analytics.

“Real-time analytics would allow IT security teams to see how these security measures are being rolled out to the wider organizations,” Wong said. “An IT security team needs to have visibility, they need to be able to see who has access where, who is reusing passwords, who is using the same password across multiple systems, because that compromises and makes the organization far more vulnerable. So being able to see who’s doing that, being able to get a security audit is very important in order to mitigate the risk and prevent any vulnerabilities from being used by cyber criminals.”

And having that ability is only the first step. Integrating it with identity, credential and access management solutions can help agencies take immediate action on compromised credentials, such as forcing a password reset as soon as continuous monitoring flags a vulnerability.

“It’s all about mitigating risk,” Wong said.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Amelia Brust, Federal News NetworkTelework

    What the UK gets about remote work that the US doesn’t

    Read more
    APUSPS Delivery Changes

    Postal union calls for Open Season extension after members see enrollment issues

    Read more