Now more than a year past President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity, federal agencies are ramping up efforts to achieve its mandates, including building a zero trust architecture.
Federal Chief Information Security Officer Chris DeRusha recently testified before Congress that cyber officials have made “tremendous progress” in implementing elements of the cyber EO. However, one government watchdog sounded an alarm, warning that zero trust runs the risk of becoming an “incomplete...
Federal Chief Information Security Officer Chris DeRusha recently testified before Congress that cyber officials have made “tremendous progress” in implementing elements of the cyber EO. However, one government watchdog sounded an alarm, warning that zero trust runs the risk of becoming an “incomplete experiment — a collection of disjointed technical security projects.”
The cyber EO was a call to action against the increasing volume and severity of cyberattacks targeting government and critical infrastructure and aligned agencies under the same cybersecurity objectives. However, it missed an opportunity, one that could help ensure that it doesn’t become an incomplete experiment. That opportunity lies in directly addressing the human element as an essential cyber defense.
The human element in cybersecurity
Cyber attackers know that people are often the weakest link in cyber defenses. In fact, 88% of breaches are caused by human error. Attackers take advantage of human frailty through phishing and other social engineering tactics that manipulate employees and contractors into clicking on an email, opening an attachment, or sharing personal information. Once that happens, the virtual door is open for bad actors to unleash ransomware and other types of malware onto the system.
These types of attacks are on the rise. New research from Zscaler shows that phishing attempts against government agencies have increased 110% from 2020 to 2021. The Cybersecurity and Infrastructure Security Agency warns that 90% of successful cyberattacks start with a phishing email.
Phishing has become so lucrative that savvy cybercriminals are offering “phishing-as-a-service,” providing everything needed to launch a large-scale phishing attack easily and quickly. Phishing-as-a-service lowers the financial and technical barriers for bad actors wanting to wreak havoc on agency operations.
Technology will only take you so far in protecting federal systems. Federal agencies must incorporate the human element into their zero trust implementation plans to fully secure their networks.
The three front lines of cyber defense
Three audiences within federal agencies play a critical role in the success — or failure — of zero trust and other cyber EO mandates. These audiences need to be engaged and their unique challenges must be addressed in order to achieve cybersecurity success.
1. Technology teams
Federal technology teams were stretched thin before the meteoric rise in cyberattacks. They are now faced with implementing new technology in an environment that is still mostly remote, and in a job market where hiring and retaining new talent is extremely challenging.
Teams dealing with legacy technology issues often find themselves in reactive versus proactive working situations. Their top priority is fixing problems, and they lack the time or resources to proactively learn and implement new security features and functionalities.
Technology leaders can overcome these issues by educating their teams on the building-block nature of zero trust. Most agencies are already using zero trust elements. They have segmentation, they have role-based access control, they have some form of identity management. Zero trust can be achieved by building on the security protocols the agency already has in place.
CISA’s Zero Trust Maturity Model supports technology teams in explaining the “how” of zero trust implementation. It recognizes that each agency is on its own path and supports agencies in building their own plan to reach full zero trust security.
Change is hard, and it must be driven by leaders both within and outside of technology organizations who champion cybersecurity. Leaders can rally the team around working collectively to keep information protected and secure, building a cybersecurity mindset across the agency.
That mindset is no different than our thought process about physical buildings. There was a time when people walked freely into federal office buildings; there were no metal detectors or ID badges to open secure doors. Those things have become second nature to federal workers now because they understand the need to secure these physical spaces.
With a cybersecurity mindset, employees actively think about cybersecurity, and won’t be so quick to fall for phishing attempts.
3. Employees and contractors
Cyber attackers are continually evolving their tactics, making it harder to defend every breach attempt. That’s why end-user education about phishing and other social engineering tactics is essential. This training should be required and ongoing and the IT department should send out warning emails that flag phishing emails that are targeting their own business.
It’s also important to educate users across the organization about new security protocols: What is being done, why, and the role each person plays in upholding the protocols. The only way to get value from new technology is to ensure that it is understood and accepted.
By helping employees understand the need for cybersecurity protections — just like the need for physical security protections in some federal buildings — they will become allies on the journey to zero trust and help ensure that it is not an incomplete experiment.
Danny Connelly is the CISO for the Americas at Zscaler, a cloud security company and zero trust leader.