Federal IT professionals feel that threats posed by careless or malicious insiders and foreign governments are at an all-time high, yet network administrators and security managers feel like they’re in a better position to manage these threats.
Those are two of the key takeaways from a recent SolarWinds federal cybersecurity survey, which asked 200 federal government IT decision makers and influencers their impressions regarding the current security landscape.
The findings showed that enterprising hackers are becoming increasingly focused on agencies’ primary assets: Their people. On the bright side, agencies feel more confident to handle risk thanks to better security controls and government-mandated frameworks.
Let’s dive into these two issues and discover some of the key takeaways.
IT security threats posed by careless or untrained insiders and nation states have risen substantially over the past five years. Sixty-six percent of survey respondents said things have improved or are under control when it comes to malicious threats, but when asked about careless or accidental insiders, that number decreased to 58%.
Indeed, hackers have seen the value in targeting agencies’ employees. People can be careless and make mistakes — it’s just human nature. Hackers are getting better at exploiting these vulnerabilities through simple tactics like phishing attacks and stealing or guessing passwords. Many government employees aren’t necessarily technically savvy or aware of their agencies’ security policies, making them easy marks. The most vulnerable are those with access to the most sensitive data.
There are a number of strategies agencies should consider to even the playing field.
Firstly, ongoing training must be a top priority. All staff members should be hyper aware of the realities their agencies are facing, including the potential for a breach and what they can do to stop it. Simply creating unique and undetectable passwords or reporting suspicious emails might be enough to save the organization from a perilous data breach. Agency security policies must be updated and shared with the entire organization on at least once a month, if not more. Emails can help relay this information, but live meetings are much better at conveying urgency and importance.
Employing a policy of zero trust is also important. It’s not that agency workers are bad people, but everyone makes mistakes once in a while. Data access must be limited to those who need it and security controls, such as access rights management, should be deployed to monitor and manage that access.
Finally, agencies must implement automated monitoring solutions to help security managers understand what is taking place on their network at all times. They can detect when a person begins trying to access data they normally wouldn’t attempt to retrieve, or that they do not have authorization to view. Or perhaps when someone in China is using the login credentials of an agency employee based in Virginia. Threat monitoring and log and event management tools can flag these incidents, and that makes them essential for every security manager’s toolbox.
VA adopts DevOps, agile methodology to improve cybersecurity
Frameworks and best practices being embraced, and working
Most survey respondents believe they are making progress managing risk, thanks in part to government mandates. This is a sharp change from the 2017 cybersecurity report, when more than half of the respondents indicated that regulations and mandates posed a challenge. Clearly, agencies are starting to get used to — and see benefits from — programs like the Risk Management Framework (RMF) and Cybersecurity Framework.
The truth is that there’s always been an interesting tug of war between cost and governance. Much like corporations, agencies understand the importance of putting processes in place to better protect their data, but there’s always the not insignificant matter of budget. How much are we willing to spend to make this happen? How much is too much? Or, perhaps even more worrisome, are we willing to just assume the risk and be OK with it?
These frameworks address these questions by making security a fundamental component of government IT and provide a roadmap on how to do it right. With frameworks like the RMF, developing a better security hygiene isn’t a matter of “should we do this?” but a matter of “here’s how we need to do this.” The frameworks and guidelines bring order to chaos by giving agencies the basic direction and necessities they need to protect themselves and, by extension, the country.
While there may have been some grousing about the mandates last year, or at least questions about how best to implement them, people are now recognizing them for what they are: Beneficial and necessary.
A new cold war
It’s encouraging that this year’s survey respondents appear to be emboldened by their cybersecurity efforts. Armed with better tools, guidelines and knowledge, they’re in a prime position to defend their agencies against those who would seek to infiltrate and do harm.
But it’s also clear that this is a battle that’s only just beginning. As hackers get smarter, and new technologies become available, it’s incumbent upon agency IT professionals to not rest on their laurels. We’re entering into what some might consider a cyber cold war, with each side stocking up to one-up the other. To win this arms race, federal security managers must continue to be innovative, proactive and smarter than their adversaries.
Jim Hansen is the vice president of products, security and application management for SolarWinds.