Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/25/2019
10:30 AM
Greg Kushto
Greg Kushto
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Security Lessons Federal IT Pros Can Teach the Private Sector

With a little research and basic planning, small companies can make big strides against the cybersecurity threats they face. Here's how.

Whether in the private or federal space, there's one thing all IT security teams must deal with: making the most of limited resources to protect sensitive information. And while budgets are slow to increase, threats develop fast. Anyone with an Internet connection can now launch a cyberattack from anywhere in the world by just pressing a button.

How can IT professionals effectively stretch their limited resources across their entire security domain? This is a dilemma that federal agencies have been dealing with for decades, and their solutions are something that anyone building a security infrastructure in the private sector should consider.

Lesson 1: Focus on the Fundamentals
Government agencies are responsible for some of the most sensitive information on the globe. What makes public sector cybersecurity more effective than a private enterprise with five times their overall IT operating budget? They know where to focus their limited resources, and they do the heavy work up front.

Private sector IT teams often fall victim to a common problem: being reactive instead of proactive in their approach to cybersecurity. In many cases, it's only after a breach that a company will decide it's finally time to invest in security infrastructure. Unfortunately, by that point, the goal is no longer to prevent an attack. It's to prevent it from happening again.

This reactive approach in the private sector often stems from the notion that since the organization has never been attacked before, there is no reason to spend precious resources planning for something that may not happen at all. With competing IT priorities, private sector organizations often choose to put off spending money on security tools, especially with competing IT priorities.

The reality, of course, is that no organization can afford to wait. Worse, an organization that holds off on creating a robust security infrastructure until it is hit by its first attack will spend much more time and resources remediating the threat than it would have spent preventing the threat. By 2021, cybercrime will be a $6 trillion industry. Organizations should do all they can now to avoid becoming a part of that statistic.

Lesson 2: Know Your Weaknesses
Every organization or business has unique vulnerabilities. Security teams should focus their cybersecurity efforts on the weakest areas to get the most out of their security investments.

For example, ransomware attacks usually target small and midsize businesses, local governments, and other organizations without strong backup strategies in place. Conversely, most small and midsize businesses will never need to worry about being the focus of an attack signature coming out of a foreign nation-state. For the US government, however, counter-intelligence is a constant threat.

With a little research and some basic planning, organizations can triage potential threats and immediately make huge strides in protecting against the most prominent cybersecurity concerns facing them and their industry.

Lesson 3: Create a Culture Around Security
Protecting citizen data and other sensitive information is a core part of the mission for most federal agencies, and everyone who interacts with that data is responsible for it — not just the IT team. Federal employees all recognize security concerns. Private sector organizations have a tendency to silo security, making protection the job of a select few. However, as the saying goes, a chain is only as strong as its weakest link, and every person in the organization represents a link.

Conversely, not having a mutual understanding of security culture across the organization can become problematic quickly. For example, it's easier today than ever before for just about anyone to procure working space outside of their organization's environment, whether that be spinning up an Amazon Web Services spot, creating a shared drive, or opening up a survey. Each of these instances opens up another attack surface that an organization's IT team may not even be aware of. Everyone, including federal agencies, can do better at preventing shadow IT on their networks by getting out in front of it with bring-your-own-device policies and regular communication with the business around IT needs and priorities.

In addition to having a strong internal culture of security, the federal government makes a habit of sharing information externally, not only with its own government sector but across the whole of government. Private enterprises often shy away from being public about security breaches or they work only with similar businesses to share security information. The problem with this approach is that security teams are unaware of many avoidable security threats that could have been stopped with a larger and more open communication network.

Lesson 4: Take Advantage of Security Resources
The government has dedicated a significant amount of resources to develop security guidelines that are publicly available. Examples include the NIST Special Publication series that deals with issues in cybersecurity policy and procedures, the NIST Cyber Security Framework, which gives a great example of how to create an overall security architecture, and US CERT, an agency which provides ongoing updates around current cybersecurity issues. Anyone can review these guidelines and get solid recommendations on how to build a cybersecurity framework, how to staff it, and how to maintain it. These resources are a great place for organizations to start and will go a long way toward keeping them safe from cyberattacks and security breaches. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Developers: The Cause of and Solution to Security's Biggest Problems."

Greg Kushto joined Force 3 in 2014 and is the Vice President of Sales Engineering. In this role, he is responsible for creating comprehensive security solutions for Force 3's client base within both the public and private sector, and ensuring that customers properly align ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/25/2019 | 11:21:56 AM
Re: Three Lessons --What about the second 3?
So noted! (good catch) Fixing typo now. 
AndrewfOP
50%
50%
AndrewfOP,
User Rank: Moderator
10/25/2019 | 11:03:43 AM
Three Lessons --What about the second 3?
Ummm, if there are two #3 lessons, shouldn't there be 4 lessons total?  Or 3 lessons just sounds better than 4?
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15815
PUBLISHED: 2019-11-12
ZyXEL P-1302-T10D v3 devices with firmware version 2.00(ABBX.3) and earlier do not properly enforce access control and could allow an unauthorized user to access certain pages that require admin privileges.
CVE-2019-17360
PUBLISHED: 2019-11-12
A vulnerability in Hitachi Command Suite 7.x and 8.x before 8.7.0-00 allows an unauthenticated remote user to trigger a denial of service (DoS) condition because of Uncontrolled Resource Consumption.
CVE-2018-21026
PUBLISHED: 2019-11-12
A vulnerability in Hitachi Command Suite 7.x and 8.x before 8.6.5-00 allows an unauthenticated remote user to read internal information.
CVE-2012-1572
PUBLISHED: 2019-11-12
OpenStack Keystone: extremely long passwords can crash Keystone by exhausting stack space
CVE-2019-17234
PUBLISHED: 2019-11-12
includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows unauthenticated arbitrary file deletion.