Protecting government entities from cyber attacks
By Rob Rudloff
By Rob Rudloff
Recently, the U.S federal government suffered its largest cyber and data breach, which reportedly compromised the personal and financial information of over 21 million current and former employees. With the rising risks and costs of cyber security and with the sensitive and important nature of government data, understanding how to protect your entity, municipality or school is critical.
One disturbing phenomenon that has grown exponentially over the past decade is social engineering – the use of human assets and vulnerabilities to try to break into systems. Examples include hackers calling people to try to gain information, picking up access codes or entry cards by “shoulder surfing” employees, sending phishing e-mails or placing calls asking users to update computers or software – all in order to gain context or credentials for hacking into your systems. Phishing e-mail attacks are increasingly sophisticated, including methods to bypass email filtering, so the attack reaches the end-user with significantly better emails.
Getting serious about cybersecurity
Cyber risk must be managed as an ongoing organization-wide concern, not just an IT issue. The first step is to admit that the threat is real and your organization could be a target.
Protecting your organization against attacks is certainly possible, but it requires focus, vigilance and a sprinkling of paranoia. First, determine what is known about your entity’s data, where and how it is accessed, and how it is protected.
- Develop a clear snapshot of your sensitive information. Identify what sensitive information exists that hackers would be interested in, where you store this information, who has access to the data, and how this data and your technology systems are protected. Also, it is critical to understand how you will know or become aware of a security event or breach to limit downtime or amount of information accessed.
- Limit your exposure by reviewing all contracts for issues that could expose cyber vulnerability, especially vendor contracts with data centers, cloud and software providers, IT specialists, and other outside suppliers with access to your internal systems. Regularly review your entity’s cyber liability insurance coverage to determine whether coverage is appropriate and determine what risks you should avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach.
- Safeguard your data with a layered defense approach, so that if any one layer is compromised, the additional controls can still provide protection and detection capabilities. This begins with a secure physical environment; restrict and monitor access to physical areas. Maintain secure destruction of paper and media, including PC and USB drives, servers, copiers, etc. Understand your inventory of hardware, software, and applications so you can recognize something out of the ordinary. Install and update antivirus and anti-malware protection regularly. Decide who receives mobile devices and set up protocols for how and when they are used. Understanding how information moves into, through, and out of your organization is essential to assessing security vulnerabilities
Prevention is a continuous process
Ongoing vigilance can be one of your most effective tools against cyber threats. Continuously educating and training employees is critical to combat the daily threats delivered via e-mail and malicious websites.
Performing periodic assessments of the environment based on risks and threats can be extremely useful to understand where weaknesses may exist and how the security infrastructure detects and prevents attacks. Continuously identify and deploy new solutions to secure your data as your environment and the threats change. Consider developing a “red team” comprised of IT specialists who try to hack into your systems. This is a good way to identify vulnerabilities and determine where an “open door” may exist.
Overall, a sustained focus on cyber security is imperative. It’s more important than ever to communicate with leadership and employees, adapt to the ever-changing threat environment and monitoring and test your systems. These are all pieces of the cyber security puzzle designed to minimize your risk and impact.
Rob Rudloff, CISSP, ISSMP, MBA, is partner-in-charge of the Cyber Security Risk Services at RubinBrown, one of the nation’s top 50 accounting and business consulting firms. Rob has more than 20 years of IT experience, previously serving at the Pentagon and National Security Agency in an information security role.