The following post is an excerpt from GovLoop's recent guide, The Top 30 Government Innovations of 2017.
In this age of rapid technological innovation, organizations face many obstacles to ensuring cybersecurity. The rise of internet-connected devices is just one thing that’s forced agencies to rethink in 2018 how they secure technologies and their related endpoints that operate on their networks.
Much of this is due to the rise of the Internet of Things (IoT), which is expanding in size and scope. Gartner estimated there would be about 8.4 billion connected devices in use in 2017, and that number is projected to rise to almost 21 billion by 2020. The challenge for agencies is ensuring security practices can keep pace. To learn more about what agencies can do to demonstrate due diligence in endpoint cybersecurity in 2018 and beyond, GovLoop spoke with Kimberlee Ann Brannock, Senior Security Advisor at HP.
“IoT expansion, in general, leads to a lack of standards, as well as competing standards,” Brannock said. “There’s vendor lock-in, there are proprietary devices, there are private networks, and all of this makes it hard for devices to share common security protocols.”
In recent years, several major hacks have been the direct or indirect result of IoT infiltration. For example, attackers made off with more than 70 million credit and debit card numbers from Target in 2013. In another case, a distributed denial of service (DDoS) attack in 2016 by the Mirai botnet — one of the strongest ever recorded — shut down a number of highly-trafficked internet sites in the United States by gaining access to consumer devices like internet protocol (IP) cameras and home routers.
Many older technologies — like printers, for example —have many thinking these devices are not of concern. However, printers are being built with internet-connecting capabilities, and they’re often overlooked as potential cybersecurity risks, Brannock said. In reality, they pose the same danger of unauthorized entry as more recognizable network endpoints, like personal computers, that can easily connect to the Internet. “HP is observing the digital world and the physical world colliding, and we need to more adequately address security in association with the devices in this equation,” she said.
“We have lots of examples in the news about some type of security event, including those that lead to major data leaks, or even items that are classified as data breaches,” Brannock added. “Historically, there was this attitude that when certain devices, such as a printer, were brought into an environment, it wasn’t a big deal. It’s now a big deal. They’re programmable, intelligent devices, just like any other PC. It’s become more important to protect those devices.”
That’s especially true for government agencies that aren’t able to yet fully address the nuances of endpoint security. And, similar to consumers, agencies run the risk of unknowingly purchasing inadequate products. Since there is little in the way of industry standardization, Brannock said, inexpensive devices often include subpar components that are difficult to secure comprehensively.
HP is working to change that. As a leading industry voice for security standards, HP encourages manufacturers to enhance cyber sophistication and endpoint standardization.
Brannock noted that it’s imperative agencies learn about contemporary cybersecurity issues, and that they only procure devices where security innovation is evident and to use devices that offer lock-down features, have better access controls and can prevent unauthorized personnel from printing certain data.
“The way organizations are operating in this modernized digital workplace, they’re not printing as much,” Brannock said. “But the documents they do decide to print are much more valuable.”
To help agencies do better on this front, HP includes state-of-the-art security measures in its devices. And because of the added control features, the devices can also help government save costs.
The other priority for HP is education and awareness of standardization issues and endpoint vulnerability. Brannock explained that HP has sought to steer agencies away from porous security measures in their procurement processes that could put their mission at risk.
“There are a lot of brilliant, talented people in government, and part of addressing this issue is just making them aware,” Brannock said. “There should be awareness, education and training campaigns, to help make people aware to include security in the procurement process and to be aware of better cyber hygiene. As security is in our DNA, HP is excited to be taking part in that endeavor.”
If government is receptive to these lessons and implements tighter requirements as a result, 2018 and the years beyond will be safer for it.
Read the full Top 30 Innovations of 2017 guide, here.