High profile security breaches continue to lead the news each week. Atlanta was the latest municipality to report a high impact security event with the loss of core city services for an extended period. Baltimore’s 911 system was impacted by a ransomware event that moved them to manual processes while the ransomware was contained and remediated. Privacy issues have come to light with the Facebook data that was shared with Cambridge Analytica.
Last year a group called Shadow Brokers obtained leaked NSA tools that leveraged vulnerabilities in everything from Smart TV’s to Windows services. The WannaCry event had a major impact worldwide in the private and public sector. Malicious actors have used malware to insert Bitcoin mining scripts into public websites to profit from the computing power of website visitors.
"Cloud services can automate processes to reduce the patching and upgrade workload for public sector IT staff"
The public sector is responsible for the management and security of its constituent’s data. The only way to minimize risk and maximize security in the public sector is to build a cyber security ecosystem that puts security and privacy at the forefront of all technology decisions and architecture.
Some of the basics for every cyber security ecosystem include a formal position like a CISO (Chief Information Security Officer) to manage organizational risk and develop and maintain a strategic plan for cyber security. Endpoint protection like anti-malware and anti-virus solutions along with strong password enforcement are part of the basic protection that every organization should have in place. Cyber insurance policies should be based on the total exposure and risk of the organization. A SIEM (Security Information and Event Management) system should be in place and monitoring and alerting 24/7. The Principle of Least Privilege and encryption of data should be applied. An up-to-date incident response plan should be reviewed annually and available to staff offline.
Stay Current and Patch Regularly
Are your operating systems, databases, languages, and applications current? When the WannaCry event hit, many organizations spent an entire weekend doing emergency patching and upgrades to older systems. The unlucky organizations spent the weekend restoring from backups first, and then doing emergency patching and upgrades to older systems. The public sector has traditionally lagged behind the private sector in technology modernization. New threats and vulnerabilities make modernization a mandatory strategy that needs to be incorporated into all public sector technology roadmaps. Operating systems and databases need to be kept up to date to ensure that the latest security patches can be applied and risk can be kept at a minimum. Cloud services can automate processes to reduce the patching and upgrade workload for public sector IT staff.
Custom legacy applications require additional effort to secure, and assessment of risk and vulnerabilities is the responsibility of the organization that developed them. What appears secure and safe today may not be the case tomorrow as risks and vulnerabilities evolve rapidly. Custom legacy applications can be replaced or moved to cloud platforms that provide more elaborate security layers like Salesforce, Microsoft Azure, AWS, or Google. A technology ecosystem needs to adopt standards with these platforms that can simplify development of custom applications when they are needed and reduce overall risk.
Governance and ITIL
A strong IT governance program and best practices from the ITIL (Information Technology Infrastructure Library) framework are an important part of a secure technology ecosystem. Formal IT governance standards will ensure new technology solutions align with the rest of the technologies in use and can be operated securely. Best practices from the ITIL framework will maintain controls on change management to prevent unauthorized changes to firewalls, servers, or other systems that can pose significant risks if compromised.
A secure technology ecosystem is still vulnerable if users are not trained to recognize phishing emails, business compromise email scams, or other daily cyber risks. Many breaches can begin with a user opening an email attachment with malware or following a link to a malware site. Annual cyber awareness training should be provided to maintain organizational awareness and reduce the risk of a compromise. Many organizations conduct periodic tests of their awareness training by sending test phishing emails to determine how many employees open questionable attachments or follow suspicious links. This strategy can help organizations provide remedial training to those that just can’t resist clicking away at suspicious emails.
Another important strategy for public sector cyber security is information sharing and partnerships with organizations like the FBI and MS-ISAC (Multi-State Information Sharing and Analysis Center). These partnerships can provide current information about risks and vulnerabilities that are impacting public sector organizations and recommendations for prevention and remediation.
Don’t Forget the Fish Tank
New IoT (Internet of Things) devices are rapidly being adopted and provide real-time data and new capabilities in operations and delivering services. New IoT sensors, HVAC systems, cameras, and even the Amazon Alexa are making their way into technology ecosystems, but many come without stringent standards in security. Recently a casino was hacked through a thermometer in a fish tank in the lobby. The thermometer was an IoT device that provided temperature monitoring but lacked the proper security to keep attackers from compromising it. Hackers found the vulnerability and pulled a database of information on high profile customers out of the casino and to the cloud. IoT devices need the proper security controls and monitoring like any other technology asset. Too often organizations look on these conveniences as low-risk solutions but attackers may find these IoT devices to be the easiest way to get into critical systems.
The Only Constant is Change
Cyber security and management of organizational risk will need to continue evolving alongside the new risks and vulnerabilities that attackers leverage each day. The public sector needs to remain agile to adopt new strategies to counter evolving risks and make cyber security a priority for every single person in the organization.