Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Greg Kushto
Greg Kushto
Connect Directly
E-Mail vvv

4 Security Lessons Federal IT Pros Can Teach the Private Sector

With a little research and basic planning, small companies can make big strides against the cybersecurity threats they face. Here's how.

Whether in the private or federal space, there's one thing all IT security teams must deal with: making the most of limited resources to protect sensitive information. And while budgets are slow to increase, threats develop fast. Anyone with an Internet connection can now launch a cyberattack from anywhere in the world by just pressing a button.

How can IT professionals effectively stretch their limited resources across their entire security domain? This is a dilemma that federal agencies have been dealing with for decades, and their solutions are something that anyone building a security infrastructure in the private sector should consider.

Lesson 1: Focus on the Fundamentals
Government agencies are responsible for some of the most sensitive information on the globe. What makes public sector cybersecurity more effective than a private enterprise with five times their overall IT operating budget? They know where to focus their limited resources, and they do the heavy work up front.

Private sector IT teams often fall victim to a common problem: being reactive instead of proactive in their approach to cybersecurity. In many cases, it's only after a breach that a company will decide it's finally time to invest in security infrastructure. Unfortunately, by that point, the goal is no longer to prevent an attack. It's to prevent it from happening again.

This reactive approach in the private sector often stems from the notion that since the organization has never been attacked before, there is no reason to spend precious resources planning for something that may not happen at all. With competing IT priorities, private sector organizations often choose to put off spending money on security tools, especially with competing IT priorities.

The reality, of course, is that no organization can afford to wait. Worse, an organization that holds off on creating a robust security infrastructure until it is hit by its first attack will spend much more time and resources remediating the threat than it would have spent preventing the threat. By 2021, cybercrime will be a $6 trillion industry. Organizations should do all they can now to avoid becoming a part of that statistic.

Lesson 2: Know Your Weaknesses
Every organization or business has unique vulnerabilities. Security teams should focus their cybersecurity efforts on the weakest areas to get the most out of their security investments.

For example, ransomware attacks usually target small and midsize businesses, local governments, and other organizations without strong backup strategies in place. Conversely, most small and midsize businesses will never need to worry about being the focus of an attack signature coming out of a foreign nation-state. For the US government, however, counter-intelligence is a constant threat.

With a little research and some basic planning, organizations can triage potential threats and immediately make huge strides in protecting against the most prominent cybersecurity concerns facing them and their industry.

Lesson 3: Create a Culture Around Security
Protecting citizen data and other sensitive information is a core part of the mission for most federal agencies, and everyone who interacts with that data is responsible for it — not just the IT team. Federal employees all recognize security concerns. Private sector organizations have a tendency to silo security, making protection the job of a select few. However, as the saying goes, a chain is only as strong as its weakest link, and every person in the organization represents a link.

Conversely, not having a mutual understanding of security culture across the organization can become problematic quickly. For example, it's easier today than ever before for just about anyone to procure working space outside of their organization's environment, whether that be spinning up an Amazon Web Services spot, creating a shared drive, or opening up a survey. Each of these instances opens up another attack surface that an organization's IT team may not even be aware of. Everyone, including federal agencies, can do better at preventing shadow IT on their networks by getting out in front of it with bring-your-own-device policies and regular communication with the business around IT needs and priorities.

In addition to having a strong internal culture of security, the federal government makes a habit of sharing information externally, not only with its own government sector but across the whole of government. Private enterprises often shy away from being public about security breaches or they work only with similar businesses to share security information. The problem with this approach is that security teams are unaware of many avoidable security threats that could have been stopped with a larger and more open communication network.

Lesson 4: Take Advantage of Security Resources
The government has dedicated a significant amount of resources to develop security guidelines that are publicly available. Examples include the NIST Special Publication series that deals with issues in cybersecurity policy and procedures, the NIST Cyber Security Framework, which gives a great example of how to create an overall security architecture, and US CERT, an agency which provides ongoing updates around current cybersecurity issues. Anyone can review these guidelines and get solid recommendations on how to build a cybersecurity framework, how to staff it, and how to maintain it. These resources are a great place for organizations to start and will go a long way toward keeping them safe from cyberattacks and security breaches. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Developers: The Cause of and Solution to Security's Biggest Problems."

Greg Kushto joined Force 3 in 2014 and is the Vice President of Sales Engineering. In this role, he is responsible for creating comprehensive security solutions for Force 3's client base within both the public and private sector, and ensuring that customers properly align ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/25/2019 | 11:21:56 AM
Re: Three Lessons --What about the second 3?
So noted! (good catch) Fixing typo now. 
User Rank: Moderator
10/25/2019 | 11:03:43 AM
Three Lessons --What about the second 3?
Ummm, if there are two #3 lessons, shouldn't there be 4 lessons total?  Or 3 lessons just sounds better than 4?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.