With today’s headlines abuzz with news about hackers, security breaches, and an unlimited array of online threats, it’s no wonder that achieving a solid network security posture has become a little like the quest for the Holy Grail.
Just like any quest, you must overcome obstacles, barriers, and challenges. Cloud migration, network modernization, and even simple technology updates can open agencies up to risk. Limited resources and budgetary constraints only compound the challenges.
The 2017 SolarWinds Federal Cybersecurity Survey highlights these challenges, but it also brings to light the opportunities that 200 federal government IT decision-makers and influencers are experiencing. Let’s look at some of their top insights so we can illuminate the pitfalls on the quest to better cybersecurity.
Internal threats are public enemy number one
With all the foreign headline grabbers garnering the spotlight with reports of hackers and election interference, you may suspect that the biggest threats would come from afar, but that is not necessarily true. The survey reveals the biggest threat federal IT pros face is actually coming from within their organizations. A full 54 percent of those surveyed noted that “careless or untrained” insiders posed the biggest security risk, while another 29 percent placed “malicious” insiders as their top concern.
External threats certainly exist too, and they are increasing in scope. More than half of survey respondents said that spam and malware threats (52 percent and 50 percent, respectively) had increased during the past 12 months. Meanwhile, 50 percent said a shortage of funding and resources is the greatest challenge to detection and remediation of security issues.
State and local governments are also concerned
Federal IT pros aren’t alone in feeling the pinch. A 2016 survey by the International City/County Management Association (ICMA) in collaboration with the University of Maryland conducted a survey to understand local government cybersecurity practices. The survey included responses from 411 state and local government CIOs. Their results, too, indicated some significant barriers to achieving better cybersecurity, including:
- Inability to pay competitive salaries of IT personnel (58 percent)
- Insufficient number of cybersecurity staff (53 percent)
- Lack of funds (52 percent)
Is it starting to feel a little like we’ve all been sent on the quest for the Holy Grail with nothing but a shovel and a pat on the back?
Three keys to success
Lucky for all of us, we have a treasure map (of sorts) to help us on our quest. This “map” consists of three very simple but nonetheless crucial steps all IT pros can and should implement to fortify network security:
Improve network visibility. We cannot control what we cannot see, and we cannot find what remains hidden to us. This includes the threats that may be plaguing our networks. That is why implementing solutions that can be configured in depth to deliver complete network visibility is critical to achieving network security. Continuous, automated monitoring is essential in the quest to root out threats from both inside and outside the network.
Continue cybersecurity training. Going back to our SolarWinds survey of federal IT professionals, one-third of respondents noted that “insufficient training of IT staff” was a significant barrier to network security. Moreover, with 54 percent blaming “careless or untrained” insiders as the biggest security threat, there is no doubt that training is a must-have to shore up government cybersecurity efforts. Agencies cannot skimp on providing their staff with the knowledge and tools required to create and maintain better security postures. Further, training must be continuous and held at regular intervals. It is not enough to have one-off sessions and call it a day; the threat landscape is changing too rapidly for that type of approach. Staff must keep abreast of evolving risks, as well as actions they can take to mitigate those risks.
Improve IT controls. IT controls also play a key role in those risk management efforts. Some 79 percent of the SolarWinds survey respondents identified their ability to provide managers and auditors with evidence of appropriate IT controls as either “good or excellent.” Those high-performing agencies tend to experience fewer cyber threats, faster response times, and improved results from modernization efforts. All of these factors point to the importance of IT controls as a cornerstone of better network security.
At the end of the day, IT professionals are all on the same quest. Everyone—from federal IT pros to members of the state and local governments—seeks to ensure their respective networks are locked down. We strive to prevent network attacks, be they external or insider threats. Monitoring and reporting tools can help us on this quest, but so can the appropriate amount of training.
The bottom line is that we need not rely on a shovel and a difficult-to-decipher map. We have simple steps and tools available that can help us reach our Holy Grail: a safe and secure network.
By Joe Kim, executive vice president, engineering and global CTO, SolarWinds
Your point of ‘continuous cybersecurity training’ resonated with me. I agree that training can’t take the ‘one and done’ approach, but it needs to be an on-going program if we really intend to staying up-to-date, current and protected. Thanks for posting!