Of the 1.5 to 1.9 billion websites on the internet, only 10% are being used actively. According to Mark Burdick, Lead Networking Systems Engineer at Citrix, this means an agency’s applications, such as its website or mobile apps, are a much bigger needle in a much smaller haystack of potential cyberthreats.
“You have to be willing to accept you’re actually a target,” said Burdick at GovLoop’s recent online training, “Is Your Agency Next? How to Avoid Cyber Breaches.”
‘Security through obscurity,’ Burdick said, is not going to cut it. This is the approach that assumes an agency’s web applications are safe and will not be a target in the big worldwide web. Burdick shared that this security mindset is one of the biggest barriers to strengthening an agency’s security.
Once the jitters subside and agencies overcome the ‘security through obscurity’ approach, Burdick said, then they can take steps to effectively fortify their cyberdefenses.
For example, Colorado’s Office of Information Technology (OIT) emphasized educating its workforce as one way of overcoming their anxieties.
“We want to make security sexy,” said Daniel Teyf, OIT’s Information Security Architect.
Now in its third year, OIT organizes an annual application security symposium where about 120 people attend to learn about emerging security techniques, tools and technology for a day.
The symposium is a cross-team effort that takes about half a year to set up, and it is part of how the department engages its developers to think about security year-long, not just during their training or symposium day.
In addition, a group of application security “champions” becomes the point people for encouraging best practices and integrating security into application development.
Yet, cyber-awareness is just as critical for non-developer staff. The partnership between a customer, or someone who uses an application, and the security folks is paramount, Teyf said. The whole ecosystem of an application needs to be considered.
“What else is it talking to? Is it mobile? Who’s walking behind you and seeing the screen?” Teyf noted. “You should, as a consumer, be educated to some degree about those security components and be able to demand security from those providers.”
Despite the looming threat of breaches, Burdick emphasized that agencies are not alone.
“The challenges you face are not entirely unique to you,” Burdick said. “There are solutions out there [that are] available, whether it’s technology, products, services or design.”
This online training was sponsored by: