If the past year taught us anything, it’s that we still have a lot of work to do in regard to shoring up our government’s cybersecurity. We learned that adversaries know how to adapt and evolve, redefining their methods to make them more sophisticated than ever. According to Okta’s recent Government 2020 study, COVID-related spear phishing attacks rose more than 677%, proving that attackers are shifting their mentality to prey on pandemic fears and telework environments.
The SolarWinds hack, one of the largest in the 21st century, is only the latest in a seemingly never-ending series of cyberattacks. It’s time for government agencies to redefine their approach to security. They need to double down on the basic principles and address not just technical challenges, but also cultural barriers that stand in the way of a safer and secure remote workforce.
According to the U.S. Office of Personnel Management’s annual report to Congress on the status of telework in the federal government, only 42% of federal employees were eligible to telework prior to the pandemic. The rapid shift to remote work requires a shift in mentality – a deeper understanding of security and the serious implications of poor security strategy. In a remote work environment, security can’t be an afterthought.
As more government organizations move citizen services to mobile and cloud-based platforms, many are realizing the value of implementing security concepts like Zero Trust, identity access management (IAM) and multi-factor authentication (MFA) to protect devices connecting to government networks – yet the idea of questioning and validating the authenticity of those accessing various parts of the network should extend beyond the technology.
The global pandemic required major societal shifts that are critical in stopping the spread of the COVID-19 virus. Social distancing, hand-washing and mask-wearing are recommended actions that, when implemented collectively as a society, can slow the spread of the virus, with the ultimate goal of herd immunity—when a large portion of a community becomes immune to a disease.
The same concept applies in cybersecurity. What’s missing within government today is a stronger cultural focus on minimizing risk across organizations. All security leaders have a shared responsibility to adapt and remain vigilant in the face of ever-growing complexity, and that includes molding a culture of shared security concerns to build greater threat immunity. Agencies must build security into the DNA of their digital architecture. Successful digital transformation isn’t possible when cybersecurity is not built within.
Those that already embraced security as a culture were well-positioned at the beginning of the pandemic to adapt to the mass amount of telework that proceeded. Going forward, the biggest thing laggards should prioritize is keeping cyber strategies top of mind and treating them like a first-class citizen.
From the communications and contract specialists to the employees in human resources and beyond, everyone in the organization needs to practice good cyber hygiene—not simply the IT personnel. For security leaders, we have to make this process as easy as possible to get people to embrace security best practices across the organization.
Building a cultural foundation
Getting individuals to embrace security starts with making it easy for them to do so. Building a positive end-user experience into every application and portal makes security easy. It’s also a powerful step toward reaching the goal of cyber herd immunity. For example, no employee will enjoy a 10-minute requirement to log into a video call because of hyper-sensitive protocol needed to join morning meetings.
IT stacks, and by extension security stacks, have become too complex, too unwieldy and are ripe for exposure. Security is everyone’s responsibility, so the less friction and futile steps we create will help ensure safe habits are effortless and second nature among teams.
As we saw this year, health awareness campaigns are a key prevention tactic for public health agencies. Likewise, creating awareness and educating employees about security risks, vulnerabilities, and scams is an easy first step forward to building a new cyber mindset for all parts of an organization. With a solid security culture, organizations can most efficiently execute common security strategies like zero trust and MFA.
Executing fundamental technology goals
The zero trust framework is a concept that’s been around for years, dating back to the writings of the Jericho Forum in 2005. The approach ensures the right people have the right level of access, to the right resources, in the right context, and that access is assessed continuously — all without adding friction for the user. With no end in sight for mass telework, agencies shouldn’t wait any longer to put this model into action.
By focusing on access management and credentials, security leaders can mitigate risk for weak and vulnerable areas that malicious actors look to exploit. Make sure to follow best practices to secure credentials including guidance and alerts from the NSA, CISA, NIST and other agencies. For example, the NSA recently released guidance that detailed steps for locking down the use of service principals, such as auditing the creation and use of service principal credentials.
Additionally, enabling MFA is a crucial step for the basic health of security operation. Adaptive MFA that responds to risk and context should be deployed wherever possible—not just for privileged users. This is the stepping stone to stronger, more secure password-less authentication at agencies. With the average cost of a data breach reaching $3.86M, implementing adaptive multi-factor authentication reduces risks to an organization by 75%.
In 2021, the “new normal” is now just normal, and security leaders need to continue to adapt in the face of evolving workforce conditions. Use this new year as an opportunity to harden the security defenses that protect agencies, employees and constituents. But also remember that a successful cybersecurity strategy goes beyond the technical foundation. When we as leaders implement a culture where we focus on education and awareness, and make it easier for all employees to follow basic security protocol, we can achieve cyber herd immunity and reduce the impact of future incidents.
Sean Frazier is the Federal Chief Security Officer at Okta
CISA to pilot secure cloud instance in response to SolarWinds attack