Most government leaders recognize the workplace is undergoing dramatic changes, both internally and externally.
Millennials, the largest generation in the U.S. workforce, often evaluate jobs based on a number of technology-driven criteria that rarely occurred to previous generations. What devices will they get to use at work? Will they be able to carry their own smartphones or tablets? Will they be allowed to work remotely?
Today, the answer to each of these questions can be the difference between winning the battle for talent and losing great candidates to another government agency or firm. Many agencies are doing their best to accommodate the preferences of young workers. But along the way, they might also be compromising something even more important: security.
More than 35,000 cyber incidents were reported by federal executive branch civilian agencies in 2017, according to the Government Accountability Office. That number is sure to rise in coming years if agencies do not educate themselves about the need to secure endpoint devices.
The private sector has been doing this for quite some time by investing in PCs, laptops and even network printers with built-in security features. But government agencies, which may be strapped for budget, sometimes put more focus on the cost and ergonomic factors of devices than on integrated security features.
This sometimes narrow approach must stop because the cost of a cyberattack now — both in dollars and in the potential damage to critical infrastructure — far outweighs any added investment in better endpoint technology. Indeed, the average cost of a cyberattack now exceeds $1 million. Overall, malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016, according to the Council of Economic Advisers, an agency tied to the White House.
While it is difficult to ascertain how much of that activity had to do with endpoint devices, we know that as organizations continue to fortify more traditional attack vectors — such as software and the network edge — less protected endpoint devices become much more attractive targets.
So, what should government agencies do to get ahead of this challenge? Consider these three steps for a stronger endpoint security posture.
1. Admit You May Have a Cybersecurity Problem
The top challenge with government cybersecurity efforts is that many still rely too heavily on affordable but outdated technology that cannot keep up with modern threat levels. In fact, a GAO report shows more than 75 percent of government IT budgets are spent on quick fixes for legacy systems. Lowest Price Technically Acceptable (LPTA) source selection processes often do not address critical security requirements.
Most agency leaders freely admit that, while they commit funds and staff to protecting their IT infrastructure, they cannot easily identify which methods and vectors of cyberattack are most likely to affect them. What’s more, a CyberScoop/FedScoop and Samsung survey found 33 percent of federal workers rely on personal laptops, 49 percent rely on personal smartphones, and 74 percent rely on personal tablets. Most of these devices, however, are unsupported by their federal agency IT managers.
A core differentiator for security lies in the willingness of agencies to take meaningful strides to accommodate, locate and protect devices connected to their workforce. A first step toward solving this problem would be to conduct a comprehensive audit to determine what devices are accessing the network, where they are located and how secure they might be. From there, it’s easier to devise a strategy for either denying devices access or bringing them up to current standards.
2. Change Your Agency’s Mindset Around Cybersecurity
The second step toward a stronger endpoint security posture is to recognize that raising cybersecurity readiness involves thinking like an IT security pro. This doesn’t require becoming paranoid or going out and getting a Certified Information Systems Security Professional certification. But you should look at cybersecurity holistically.
Security professionals talk about the importance of layered fortification or “defense in depth.” This means you’re not just focusing on one potential point of vulnerability but are applying protections across the entire technology stack — its system, network, application and transmission levels. Miss one of those, and you are leaving your entire infrastructure — and all its private data — open to attack.
Unfortunately, cybersecurity is so often an afterthought in technology purchases that much-needed safeguards aren’t added until later in the form of anti-virus, firewall and other limited solutions.
The key, therefore, is to put security ahead of all other purchasing considerations. If an endpoint device isn’t secure at its core, it shouldn’t be allowed to touch the network — at least not without having strongly enforced security policies in place. Ultimately, an endpoint purchase is a security decision.
3. Load Up on Security Features for Endpoints
If a hacker modifies a lightly protected computer’s basic input output system — which enables the computer to start before an operating system such as Windows gets going — he or she can seize control and use it to penetrate agency networks. Therefore, a final (yet immensely important) step in security protocol is prioritizing endpoint devices with an array of protective measures. This would include automated threat monitoring, configuration maintenance and attack detection and remediation.
Devices should also include integrated features that go beyond traditional anti-virus software to recognize when malware has been launched on a device from an infected website. Why? These programs sniff out threats and isolate them in virtual containers where they cannot harm a system or network. Similarly, another recent innovation uses artificial intelligence and machine learning to provide real-time detection and prevention of zero-day threats, when vulnerable devices are unknowingly exploited, coupled with behavioral detection of ransomware impact, a growing problem for many public sector organizations.
Another useful feature to consider, especially with so many employees using their computers to do work in public places, is an integrated privacy screen. In the past, some people have covered their screens with small, dark slips of film to keep prying eyes away from their private information. But recently, laptops and notebooks have started offering built-in “privacy modes” that instantly make the screen unreadable for anyone nearby. Visual hacking is often a simple manner of gaining access to private data.
Whatever approach your organization takes, accept the need for change and embrace the idea that every technology decision is a security decision. The cybersecurity challenge isn’t getting any easier, especially with the rise of a mobile workforce and so many people working remotely. It is critically important, therefore, to prepare for this reality.