Cyberattacks are inevitable, but it’s still crucial for agencies to do all they can to reduce their risks. During a recent GovLoop online training, three experts discussed seven approaches that can make a difference.
1. Take Inventory
“This concept of inventory has existed for decades from an IT perspective,” said Lester Godsey, Chief Information Security Officer for Maricopa County, Ariz. But the definition of what an asset is needs to expand to include:
- Cloud providers
- The companies cloud providers depend on
“How can you legitimately determine what the risk is to the enterprise if you don’t know what’s in it?” Godsey said. “Inventory is the starting point of everything else that we do.”
2. Assess Everything
Determine how you’re protecting data, look at your processes and policies, and then assess them against a leading security framework such as the National Institute of Standards and Technology’s Cybersecurity Framework or the International Organization for Standardization 27001 family of standards.
“You have to have a starting point and you have to understand what your current reality is with respect to what are you doing well and what are you doing that needs to be addressed,” Godsey said. “You could prioritize all that based off of risk – the likelihood of an event occurring vs. what the impact of said event would be on the organization.”
3. Focus on Identity
Nefarious actors’ sophistication may be increasing, but one way they access IT systems and assets is simple: through identity theft.
But as with assets, the definition of identity must expand to include device, application and service identity. “Identity doesn’t just refer to individuals, meaning my logins and passwords,” Godsey said.
Implementing zero trust, least privilege and multifactor authentication can significantly increase protection against this type of threat, said Carmen Taglienti, Distinguished Engineer at Insight Enterprises. “Between every barrier within your environment, you assume no trust and so you basically go back through the authentication mechanism all over again,” he said.
4. Encrypt Data (and Guard the Keys)
“The most important part of using encryption is first of all to understand the level of encryption you’re going to employ,” Taglienti said. “Based off of the type of asset you want to protect, what type of encryption do you want to use?” Also consider how long it takes to encrypt and decrypt because if accessing or processing data, there is a processing overhead associated with it.
Encryption alone is not enough. Agencies must also protect the keys that decrypt because “if they become accessible, all bets are off,” he said. He recommends key cycling, or frequently changing keys so that even if they’re compromised, data will be safe.
5. Defend in Depth
Defense-in-depth, or layered security, means having multiple checks in place so that even if someone gets past a few of those layers, an attack can be stopped, said Mathew Lamb, Manager of state, local and education sales at Palo Alto Networks’ Prisma Cloud Solutions Architects.
He recommends five steps to this:
- Define identity beyond users.
- Define policies and procedures.
- Ensure encryption.
- Measure how well all of that works.
- Add more security.
6. Audit, and Audit Some More
Auditing goes hand in hand with the assessment, Lamb said, because it keeps agencies accountable to maintaining measures that are in place.
To do it, set baselines for the behaviors expected of authenticated users and make sure you can observe them. Know the general behavior so you can identify anything that is out of line.
“This is a really critical piece to reducing your risk of a data breach,” Lamb said.
7. Educate Your Staff
It’s long been said that people are the weakest link in the cybersecurity chain, and although training and education has increased and improved, “there’s a reason why email is still the biggest threat vector for virtually every single organization out there, whether it’s public sector or private sector,” Godsey said.
His agency regularly conducts phishing campaigns to test whether the county’s 14,000 employees fall for it and then provides training based on the results. “We are trying to create a culture to say you’re part of the security team at Maricopa County,” he said.