How federal agencies can avoid 5 common cyber risks
Federal agencies are under constant attack by malicious actors and, quite often, inadvertently by their own employees. In 2018, federal agencies were hit by more than 31,000 attacks, according to a report from the Office of Management and Budget (OMB). That’s an average of 85 attacks every day.
According to the OMB, the most frequent attack vectors are email and phishing incidents, web-based attacks, and loss or theft of equipment. Further challenges to effective threat migration come from complex federal IT environments, where legacy IT operates alongside modern and emerging technologies; growing demand for mobile solutions; cloud-based technologies; and the desire to employ emerging technologies such as machine learning and artificial intelligence.
The takeaway? Constantly-evolving threats, unending attacks, rapid technological change, pervasive interconnectivity, and an increasing dependence on technology and data make securing federal information and infrastructure a federal priority and imperative. The internal and external threats to applications, systems, and data continue to grow in frequency, scope, and sophistication, and they require every federal agency to identify, prioritize, and manage cyber risks across its ecosystem, as well as those of other government agencies, third-party partners, and supply chains. Threat deterrence is an initiative that involves people, processes, and knowledge – not just technology.
Here’s a look at five cybersecurity threats that government agencies are likely to face in the coming year, and, most importantly, how to avoid them.
1. Vendor vulnerabilities extend to agencies
As in the private sector, federal agencies rely on supply-chain and third-party partners to get things done in supporting their mission and objectives. It’s a critical partnership, but it’s fraught with potential peril. Increasingly, nation-state hackers are targeting U.S. government contractors to exfiltrate sensitive data and to access federal networks.
To guard against intrusion, the U.S. National Institute of Standards and Technology (NIST) recommends that agencies carefully assess supply-chain and security capabilities of their vendors, including:
-Malware protection and detection safeguards
-Awareness of current vulnerabilities
-Incident response and recovery plans
-Threat detection and managed response
-Physical security measures
-Security throughout the software and hardware design process
Suggested action: Expert assessment of contractor capabilities
Agencies should conduct in-depth assessments of cybersecurity capabilities of all contractors –from janitorial services to aerospace engineers – and put mitigation plans in place to remediate high-risk vendors that may not have adequate safeguards in place.
2. Modernized systems, multiplied risks
Many federal agencies rely on decades-old legacy applications to keep the wheels of government moving. But these systems are incompatible with current and emerging platforms like cloud computing, machine learning, and artificial intelligence – as well as current and evolving cybersecurity technologies.
Modernization is a complex process that typically spans several years. Risks include system downtime, productivity loss, and outright project failure. Once updated, applications can be connected to modern networks and endpoints, but doing so inevitably expands the attack surface.
The federal government has developed guidelines to help secure modernized systems. The Trusted Internet Connections initiative, for example, can help improve security of external network connections. Similarly, the National Cybersecurity Protection System encourages inter-agency collaboration to strengthen security. But the government offers no systematic framework for securing newly modernized applications.
Suggested action: Security from the start
Successful modernization requires that cybersecurity be prioritized at the onset.
Agencies should understand the security gaps in modernization initiatives and implement up-to-the-minute technology, policies, and procedures. Agencies should also securely integrate interfaces, disparate data formats, and multiple networks.
3. Infiltration via employee exploits
Some of the most damaging cyberattacks exploit human vulnerabilities to infiltrate networks and data. Social engineering hacks succeed largely because employees, being the weakest link in the cybersecurity chain, lack awareness of current threats and basic security hygiene.
Yet many agencies don’t make the connection between threat awareness and intrusion prevention. Proper (and regular) training can help avert vulnerabilities like phishing, ransomware, and weak passwords. It can also mitigate loss or theft of phones and laptops. To be effective, training programs should be based on current, specific threats and extend to all employees and third-party contractors (and subcontractors). Additional specialized role-based training should be provided to employees who have super user or privileged access to IT assets.
Suggested action: Gain threat awareness with training
Agencies should develop individual programs that engage employees in preventing attacks. In addition to basic security hygiene, the programs should address individual requirements for appropriate use of technology and data. Tools such as tabletop exercises and email campaigns based on authentic scenarios should be included hygiene programs.
4. Disconnected risk management cannot address threats
A recent study found that many federal entities have not fully implemented a comprehensive security risk-management program, nor have they unified enterprise risk management (ERM) with IT security threat programs.
Alignment of ERM and IT risk strategies is critical because today’s cyberthreats can be as damaging as traditional financial and operational risks. A unified front can help identify the agency’s singular appetite for risk and address how it will assess, respond to, and monitor threats and associated impact. It can also help mitigate security consequences such as lost productivity, lower revenues, system downtime, reputational damage, and remediation costs.
Suggested action: A unified front against cyber risks
Implement a risk-management methodology that uses qualitative and quantitative metrics to evaluate the likelihood, potential consequences, and velocity of risks. Organizations should identify and prioritize current threats and design risk-prevention and mitigation processes. The goal is to unify security and ERM programs to reduce the impact of incidents – and ultimately make cybersecurity a business enabler.
5. More data begets more risks
As the volume of data multiplies, so too does an agency’s attack surface. Yet many organizations cannot effectively protect their data because they simply don’t understand what information they store and how they use it.
Compounding matters, federal entities share data among a patchwork of inadequately integrated government systems. Disparate, disconnected interfaces and APIs can increase the risk of system compromise and data loss. And as data sources and formats expand, security-monitoring technologies may be unable to analyze and track new data formats. Addressing these risks will require that agencies identify and catalog all data collected, stored, transmitted, processed, and retained.
Suggested action: Data as a strategic asset
Develop strategies to secure data and create common-ground sharing agreements among federal entities. Best practices include data mapping and assessments across the information life cycle to identify all data. Entities should also catalog data to determine its value, context, and lineage. This approach enables agencies to leverage data as a strategic asset.
InsightBest Bites: December GovCon Lunch & Learn on CMMC, other security rulesBhavesh VadhaniCohnReznick’s December 2019 GovCon Lunch & Learn presented perspectives on DOD’s new Cybersecurity Maturity Model Certification. Click to learn more
Insight6 internal audit areas of focus for 2020George GallingerIn 2020, set resolutions to prioritize internal audit, build out your business plans, and support your long-term objectives. Click to get started.
InsightNot concerned about the CCPA? If you receive Personal Information from California businesses, you probably should be.Alison BirdAs the Jan. 1 effective date of the California Consumer Privacy Act (CCPA) gets closer, don’t make the potentially costly mistake of assuming it doesn’t apply to you. Though the CCPA directly covers entities that collect Personal Information from California consumers, those entities must pass certain CCPA requirements through to their “service providers.” A failure to be prepared for those requirements could put you at a serious competitive disadvantage.
InsightHarness the power of data analytics to optimize your internal audit functionToday’s chief audit executives face unique challenges stemming from the frenetic pace of market changes, emerging technologies, and other environmental dynamics.