CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
View full biography
How federal agencies can avoid 5 common cyber risks
Federal agencies are under constant attack by malicious actors and, quite often, inadvertently by their own employees. In 2018, federal agencies were hit by more than 31,000 attacks, according to a report from the Office of Management and Budget (OMB). That’s an average of 85 attacks every day.
According to the OMB, the most frequent attack vectors are email and phishing incidents, web-based attacks, and loss or theft of equipment. Further challenges to effective threat migration come from complex federal IT environments, where legacy IT operates alongside modern and emerging technologies; growing demand for mobile solutions; cloud-based technologies; and the desire to employ emerging technologies such as machine learning and artificial intelligence.
The takeaway? Constantly-evolving threats, unending attacks, rapid technological change, pervasive interconnectivity, and an increasing dependence on technology and data make securing federal information and infrastructure a federal priority and imperative. The internal and external threats to applications, systems, and data continue to grow in frequency, scope, and sophistication, and they require every federal agency to identify, prioritize, and manage cyber risks across its ecosystem, as well as those of other government agencies, third-party partners, and supply chains. Threat deterrence is an initiative that involves people, processes, and knowledge – not just technology.
Here’s a look at five cybersecurity threats that government agencies are likely to face in the coming year, and, most importantly, how to avoid them.
As in the private sector, federal agencies rely on supply-chain and third-party partners to get things done in supporting their mission and objectives. It’s a critical partnership, but it’s fraught with potential peril. Increasingly, nation-state hackers are targeting U.S. government contractors to exfiltrate sensitive data and to access federal networks.
To guard against intrusion, the U.S. National Institute of Standards and Technology (NIST) recommends that agencies carefully assess supply-chain and security capabilities of their vendors, including:
-Malware protection and detection safeguards
-Awareness of current vulnerabilities
-Incident response and recovery plans
-Threat detection and managed response
-Physical security measures
-Security throughout the software and hardware design process
Suggested action: Expert assessment of contractor capabilities
Agencies should conduct in-depth assessments of cybersecurity capabilities of all contractors –from janitorial services to aerospace engineers – and put mitigation plans in place to remediate high-risk vendors that may not have adequate safeguards in place.
Many federal agencies rely on decades-old legacy applications to keep the wheels of government moving. But these systems are incompatible with current and emerging platforms like cloud computing, machine learning, and artificial intelligence – as well as current and evolving cybersecurity technologies.
Modernization is a complex process that typically spans several years. Risks include system downtime, productivity loss, and outright project failure. Once updated, applications can be connected to modern networks and endpoints, but doing so inevitably expands the attack surface.
The federal government has developed guidelines to help secure modernized systems. The Trusted Internet Connections initiative, for example, can help improve security of external network connections. Similarly, the National Cybersecurity Protection System encourages inter-agency collaboration to strengthen security. But the government offers no systematic framework for securing newly modernized applications.
Suggested action: Security from the start
Successful modernization requires that cybersecurity be prioritized at the onset.
Agencies should understand the security gaps in modernization initiatives and implement up-to-the-minute technology, policies, and procedures. Agencies should also securely integrate interfaces, disparate data formats, and multiple networks.
Some of the most damaging cyberattacks exploit human vulnerabilities to infiltrate networks and data. Social engineering hacks succeed largely because employees, being the weakest link in the cybersecurity chain, lack awareness of current threats and basic security hygiene.
Yet many agencies don’t make the connection between threat awareness and intrusion prevention. Proper (and regular) training can help avert vulnerabilities like phishing, ransomware, and weak passwords. It can also mitigate loss or theft of phones and laptops. To be effective, training programs should be based on current, specific threats and extend to all employees and third-party contractors (and subcontractors). Additional specialized role-based training should be provided to employees who have super user or privileged access to IT assets.
Suggested action: Gain threat awareness with training
Agencies should develop individual programs that engage employees in preventing attacks. In addition to basic security hygiene, the programs should address individual requirements for appropriate use of technology and data. Tools such as tabletop exercises and email campaigns based on authentic scenarios should be included hygiene programs.
A recent study found that many federal entities have not fully implemented a comprehensive security risk-management program, nor have they unified enterprise risk management (ERM) with IT security threat programs.
Alignment of ERM and IT risk strategies is critical because today’s cyberthreats can be as damaging as traditional financial and operational risks. A unified front can help identify the agency’s singular appetite for risk and address how it will assess, respond to, and monitor threats and associated impact. It can also help mitigate security consequences such as lost productivity, lower revenues, system downtime, reputational damage, and remediation costs.
Suggested action: A unified front against cyber risks
Implement a risk-management methodology that uses qualitative and quantitative metrics to evaluate the likelihood, potential consequences, and velocity of risks. Organizations should identify and prioritize current threats and design risk-prevention and mitigation processes. The goal is to unify security and ERM programs to reduce the impact of incidents – and ultimately make cybersecurity a business enabler.
As the volume of data multiplies, so too does an agency’s attack surface. Yet many organizations cannot effectively protect their data because they simply don’t understand what information they store and how they use it.
Compounding matters, federal entities share data among a patchwork of inadequately integrated government systems. Disparate, disconnected interfaces and APIs can increase the risk of system compromise and data loss. And as data sources and formats expand, security-monitoring technologies may be unable to analyze and track new data formats. Addressing these risks will require that agencies identify and catalog all data collected, stored, transmitted, processed, and retained.
Suggested action: Data as a strategic asset
Develop strategies to secure data and create common-ground sharing agreements among federal entities. Best practices include data mapping and assessments across the information life cycle to identify all data. Entities should also catalog data to determine its value, context, and lineage. This approach enables agencies to leverage data as a strategic asset.
Bhavesh Vadhani, Principal, Cybersecurity and Privacy
703.847.4418
Bill Hughes, Partner, Federal Market Leader, Government and Public Sector
703.744.6750
Deborah Nitka, Manager, Cybersecurity and Privacy
646.762.3372
Related Services
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. Neither CohnReznick LLP or its personnel provide legal advice to third parties. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees, and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
Bill Hughes
CPA, CDFM, CGFM, CGMA, CICA, Partner - Federal Market Leader
View full biography
Related Insights
-
Press ReleaseSun joins CohnReznick as Principal, CybersecurityDavid Sun leads CohnReznick’s security incident response and recovery; computer forensic and litigation support; and cloud security services.
-
InsightUnderstanding Zero TrustBhavesh Vadhani, Adonye ChamberlainRead about the evolution of this cybersecurity paradigm, why it is increasingly necessary, and how to get started on its implementation.
-
InsightBe on guard for phishing attacks amid bank collapsesBhavesh VadhaniAs scammers take advantage of the chaos caused by the Silicon Valley Bank and Signature Bank turmoil, keep these key security principles top of mind.
-
InsightProposed regulatory changes increase board responsibility for cybersecurity programsScott Corzine, Bhavesh VadhaniProposed regulations may increase the responsibility of corporate board directors with cybersecurity programs. Learn more.