Prioritizing vulnerabilities to fight cyberthreats


Prioritizing vulnerabilities to fight cyberthreats

With technology rapidly evolving in federal agencies, better managing cyberthreats is ever more urgent and challenging. Where should cybersecurity professionals start, after all, when everyone and everything is connected?

To stay a step ahead of adversaries -- of which there are all too many -- federal IT decision makers must step back from their day-to-day routines and  prioritize vulnerabilities. Luckily (or perhaps unluckily), the first priority rarely changes.

Priority #1: End users

While federal agencies do a great job at improving cyber awareness among employees, end users will always be an agency’s weakest link. Their unpredictability and their access to internal and external networks make them the most obvious risk. We’ve heard stories of soldiers on covert military operations who’ve uploaded photos to social media that containing GPS information, consequently exposing their positions to anyone with the know-how and motivation.

Agencies must recognize that telling people to be more aware of security can only be so effective. Putting up blockades and hoping they suffice will meet with failure. People -- even the most loyal employees -- can find ways around them.

The trick is enabling end users to make secure decisions by giving them secure ways to do their work. If employees want to take work home, for instance, set up  a secure cloud platform so they aren’t forced to send potentially sensitive information to unsecure personal email addresses.

Priority #2: Data

Data risk is always present:  It can neither be fixed nor eliminated -- only understood and mitigated. Sharing data outside a network creates a number of vulnerabilities, including to loss and hacking.

To mitigate risk, IT managers must accept its existence and then endeavor to understand and pre-empt it. Regular discussion and analysis of organizational data –  understanding how data is used and processed, where it is stored, who has access and, importantly, who cares about it --  can help create a balance between business efficiencies and security.

Without a close look at an agency’s internal data, it’s almost impossible to know what to protect and how.

Priority #3: IT budget

The IT budget is both a source of threat protection and a vulnerability in itself. Agencies must analyze the refresh cycles on their hardware and software to ensure they remain updated.

Organizations that delay patching and updates  to old software and hardware because of funding or resource shortages make their legacy technologies points of access for cyber criminals.

Neglected refresh cycles can lead to cyber risks, even in printers. Offices everywhere have printers that haven’t been updated in five or 10 years. Most are connected to a network, but have no security controls. Meanwhile, opportunistic criminals can hack  these printers to gain access to otherwise secure networks.

Federal IT systems face constant threats and attacks from both insiders and outsiders. IT decision makers must regularly remove themselves from day-to-day tasks to understand where their energies are best spent or risk falling victim when a cyber threat becomes a very real, very present danger.

About the Author

Greg Kushto is director of security and enterprise networking at Force 3.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected