How do you fight what you can’t see? That’s been the challenge of countless science fiction and fantasy novel characters, and now security departments are faced with the same dilemma.
You never know where the next attack is coming from in the world of cyberthreats, and the possibilities are endless – cyberterrorists, phishing emails, insider threats and so much more.
Well following the trend of recent horror films, the biggest danger might come from within. The biggest threat is us.
“People are the biggest problem we have. They’re opening doorways,” said Phil Bertolini, Chief Information Officer (CIO) of Oakland County, Michigan.
Wednesday, Bertolini appeared on GovLoop’s training “Government Insights: What You Need to Know About Cybersecurity Today” alongside Michael Watson, Chief Information Security Officer for the Commonwealth of Virginia at the Virginia Information Technologies Agency (VITA). Mark Hensch, GovLoop Staff Writer, was also on the panel after authoring “Understanding the Dangers to Your Cybersecurity.”
A lot goes into an effective cybersecurity strategy, but many rank-and-file, business-side employees are often surprised at their centrality to defending against cyber threats – and in enabling them. That unawareness is the reason insider threats are so prominent in agency conversation.
“When we think of cyberthreats, we often think of something malicious, or an attacker,” Hensch said. “Insider threats can be something like that, but they can also just be someone who accidentally mishandles information.”
Educating and informing employees are foundational responsibilities of modern-day security departments. That requires unique and creative approaches to training.
Oakland County has run practice “phishing attacks” – fraudulent communications in the attempt to extract sensitive data or install ransomware onto systems – against its own employees, and the results haven’t always been encouraging. One employee took the bait of a yearlong Amazon Prime membership nine separate times.
It’s not just phishing. Government IT departments across the country are struggling to alert employees to the omnipresence of dangers to cybersecurity.
Employees don’t see why logging into their email from a public location or taking certain files home to work is such a big deal – not to mention, it would boost productivity.
“Sometimes you just have to say no,” Bertolini said. “I know that’s not our first reaction, and nobody wants to be the naysayer, but you just have to balance the risk and reward.”
Establishing a strong and encompassing culture of cybersecurity means implementing security at the front end. But it also means looking at the problem realistically.
Employees want mobile-capable workflows, meaning that emails and files need to be accessed by portable devices and phones. Business cannot be halted.
People are the weakest links, Bertolini said, and likely will be for the foreseeable future. However, there are solutions that can balance risk-reward to accommodate the technology employees want.
“What we still struggle with is that the business units that are using these services have trouble understanding ‘Hey, your business doesn’t function without IT,’” Watson said.
That means agencies need to work on encrypting sensitive data at rest and in transit, shore up networks and establish multiple layers of protection.
That also is what protects against the onslaught of cyberattacks that are searching for anywhere to get through. Human error is just one vector of infiltration, and attackers will take what they can get.
“They don’t know who we are when they hit us,” Bertolini said. “The majority of these, they’re just hounding away at networks, trying to find openings.”
Panelists on the webinar acknowledged that the problem could seem overwhelming. However, changes in culture and technology recently inspired optimism, they said.
Looking for industry partners and to technological advancements, such as security orchestration and automation, could lend visibility to a problem historically cloaked with obscurity.
“Don’t get overwhelmed by all the issues you have out there right now. You just have to take one bite at a time,” Watson said.