Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Greg Kushto
Greg Kushto
Connect Directly
E-Mail vvv

4 Security Lessons Federal IT Pros Can Teach the Private Sector

With a little research and basic planning, small companies can make big strides against the cybersecurity threats they face. Here's how.

Whether in the private or federal space, there's one thing all IT security teams must deal with: making the most of limited resources to protect sensitive information. And while budgets are slow to increase, threats develop fast. Anyone with an Internet connection can now launch a cyberattack from anywhere in the world by just pressing a button.

How can IT professionals effectively stretch their limited resources across their entire security domain? This is a dilemma that federal agencies have been dealing with for decades, and their solutions are something that anyone building a security infrastructure in the private sector should consider.

Lesson 1: Focus on the Fundamentals
Government agencies are responsible for some of the most sensitive information on the globe. What makes public sector cybersecurity more effective than a private enterprise with five times their overall IT operating budget? They know where to focus their limited resources, and they do the heavy work up front.

Private sector IT teams often fall victim to a common problem: being reactive instead of proactive in their approach to cybersecurity. In many cases, it's only after a breach that a company will decide it's finally time to invest in security infrastructure. Unfortunately, by that point, the goal is no longer to prevent an attack. It's to prevent it from happening again.

This reactive approach in the private sector often stems from the notion that since the organization has never been attacked before, there is no reason to spend precious resources planning for something that may not happen at all. With competing IT priorities, private sector organizations often choose to put off spending money on security tools, especially with competing IT priorities.

The reality, of course, is that no organization can afford to wait. Worse, an organization that holds off on creating a robust security infrastructure until it is hit by its first attack will spend much more time and resources remediating the threat than it would have spent preventing the threat. By 2021, cybercrime will be a $6 trillion industry. Organizations should do all they can now to avoid becoming a part of that statistic.

Lesson 2: Know Your Weaknesses
Every organization or business has unique vulnerabilities. Security teams should focus their cybersecurity efforts on the weakest areas to get the most out of their security investments.

For example, ransomware attacks usually target small and midsize businesses, local governments, and other organizations without strong backup strategies in place. Conversely, most small and midsize businesses will never need to worry about being the focus of an attack signature coming out of a foreign nation-state. For the US government, however, counter-intelligence is a constant threat.

With a little research and some basic planning, organizations can triage potential threats and immediately make huge strides in protecting against the most prominent cybersecurity concerns facing them and their industry.

Lesson 3: Create a Culture Around Security
Protecting citizen data and other sensitive information is a core part of the mission for most federal agencies, and everyone who interacts with that data is responsible for it — not just the IT team. Federal employees all recognize security concerns. Private sector organizations have a tendency to silo security, making protection the job of a select few. However, as the saying goes, a chain is only as strong as its weakest link, and every person in the organization represents a link.

Conversely, not having a mutual understanding of security culture across the organization can become problematic quickly. For example, it's easier today than ever before for just about anyone to procure working space outside of their organization's environment, whether that be spinning up an Amazon Web Services spot, creating a shared drive, or opening up a survey. Each of these instances opens up another attack surface that an organization's IT team may not even be aware of. Everyone, including federal agencies, can do better at preventing shadow IT on their networks by getting out in front of it with bring-your-own-device policies and regular communication with the business around IT needs and priorities.

In addition to having a strong internal culture of security, the federal government makes a habit of sharing information externally, not only with its own government sector but across the whole of government. Private enterprises often shy away from being public about security breaches or they work only with similar businesses to share security information. The problem with this approach is that security teams are unaware of many avoidable security threats that could have been stopped with a larger and more open communication network.

Lesson 4: Take Advantage of Security Resources
The government has dedicated a significant amount of resources to develop security guidelines that are publicly available. Examples include the NIST Special Publication series that deals with issues in cybersecurity policy and procedures, the NIST Cyber Security Framework, which gives a great example of how to create an overall security architecture, and US CERT, an agency which provides ongoing updates around current cybersecurity issues. Anyone can review these guidelines and get solid recommendations on how to build a cybersecurity framework, how to staff it, and how to maintain it. These resources are a great place for organizations to start and will go a long way toward keeping them safe from cyberattacks and security breaches. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Developers: The Cause of and Solution to Security's Biggest Problems."

Greg Kushto joined Force 3 in 2014 and is the Vice President of Sales Engineering. In this role, he is responsible for creating comprehensive security solutions for Force 3's client base within both the public and private sector, and ensuring that customers properly align ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
10/25/2019 | 11:03:43 AM
Three Lessons --What about the second 3?
Ummm, if there are two #3 lessons, shouldn't there be 4 lessons total?  Or 3 lessons just sounds better than 4?
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.