Prioritizing vulnerabilities to fight cyberthreats
- By Greg Kushto
- Oct 25, 2016
With technology rapidly evolving in federal agencies, better managing cyberthreats is ever more urgent and challenging. Where should cybersecurity professionals start, after all, when everyone and everything is connected?
To stay a step ahead of adversaries -- of which there are all too many -- federal IT decision makers must step back from their day-to-day routines and prioritize vulnerabilities. Luckily (or perhaps unluckily), the first priority rarely changes.
Priority #1: End users
While federal agencies do a great job at improving cyber awareness among employees, end users will always be an agency’s weakest link. Their unpredictability and their access to internal and external networks make them the most obvious risk. We’ve heard stories of soldiers on covert military operations who’ve uploaded photos to social media that containing GPS information, consequently exposing their positions to anyone with the know-how and motivation.
Agencies must recognize that telling people to be more aware of security can only be so effective. Putting up blockades and hoping they suffice will meet with failure. People -- even the most loyal employees -- can find ways around them.
The trick is enabling end users to make secure decisions by giving them secure ways to do their work. If employees want to take work home, for instance, set up a secure cloud platform so they aren’t forced to send potentially sensitive information to unsecure personal email addresses.
Priority #2: Data
Data risk is always present: It can neither be fixed nor eliminated -- only understood and mitigated. Sharing data outside a network creates a number of vulnerabilities, including to loss and hacking.
To mitigate risk, IT managers must accept its existence and then endeavor to understand and pre-empt it. Regular discussion and analysis of organizational data – understanding how data is used and processed, where it is stored, who has access and, importantly, who cares about it -- can help create a balance between business efficiencies and security.
Without a close look at an agency’s internal data, it’s almost impossible to know what to protect and how.
Priority #3: IT budget
The IT budget is both a source of threat protection and a vulnerability in itself. Agencies must analyze the refresh cycles on their hardware and software to ensure they remain updated.
Organizations that delay patching and updates to old software and hardware because of funding or resource shortages make their legacy technologies points of access for cyber criminals.
Neglected refresh cycles can lead to cyber risks, even in printers. Offices everywhere have printers that haven’t been updated in five or 10 years. Most are connected to a network, but have no security controls. Meanwhile, opportunistic criminals can hack these printers to gain access to otherwise secure networks.
Federal IT systems face constant threats and attacks from both insiders and outsiders. IT decision makers must regularly remove themselves from day-to-day tasks to understand where their energies are best spent or risk falling victim when a cyber threat becomes a very real, very present danger.
Greg Kushto is director of security and enterprise networking at Force 3.