Millennials, the largest generation in the U.S. workforce, often evaluate jobs based on technology-driven criteria that rarely occurred to previous generations. Federal agencies are trying to accommodate these under-40 workers with badly needed tech skills.
But along the way, agencies and workers might also be compromising something more important: security.
Federal executive branch civilian agencies reported more than 35,000 cyber incidents in 2017, according to the Government Accountability Office. That number will rise if agencies do not secure the endpoint devices that workers like to use.
A 2018 CyberScoop/FedScoop and Samsung survey found 33 percent of federal workers rely on personal laptops, 49 percent rely on personal smartphones, and 74 percent use personal tablets.
Feds Need to Admit They Have an Endpoint Security Problem
The private sector has been investing in new equipment with built-in security features for some time. But government agencies, according to a recent GAO report, spend 80 percent of their IT money on the operation and maintenance of legacy systems.
This approach must stop. The cost of a cyberattack now — both in dollars and in the potential damage to critical infrastructure — far outweighs any added investment in better endpoint technology. So, what should government agencies do to get ahead of this challenge?
First, admit there is a cybersecurity problem. Secure agencies take meaningful strides to accommodate, locate and protect devices connected to their workforce. An initial step toward solving this problem would be to conduct a comprehensive audit to determine what devices are accessing the network, where they are located and how secure they might be.
Next, agencies can try to change their mindset about cybersecurity; improving cybersecurity readiness involves thinking like an IT security pro.
Security professionals talk about the importance of layered fortification, or “defense in depth.” This means applying protection across the entire stack — the system, network, application and transmission levels. Miss one, and an infrastructure’s private data is open to attack.
Unfortunately, cybersecurity is often an afterthought in technology purchases. Much-needed safeguards aren’t added until later in the form of anti-virus, firewalls and other limited solutions.
The key is to put security ahead of all other purchasing considerations. If an endpoint device isn’t secure at its core, it shouldn’t be allowed to touch the network. Ultimately, an endpoint purchase is a security decision.
Employ the Latest Security Technologies
Finally, load up on security features for endpoints. If a hacker modifies a lightly protected computer’s BIOS — the basic input/output system that enables the computer to start before an operating system gets going — he or she can seize control and use the computer to penetrate agency networks.
Prioritizing endpoint devices with an array of protective measures is an important step in security protocol. This would include automated threat monitoring, configuration maintenance, and attack detection and remediation.
Devices should also include integrated features (beyond traditional anti-virus software) that recognize when malware has been launched on a device from an infected website. These programs sniff out threats and isolate them in virtual containers where they cannot harm a network.
Whatever approach an organization takes, it must accept the need for change and embrace the idea that every technology decision is a security decision. The cybersecurity challenge isn’t getting easier, especially with the rise of a mobile workforce and so many people working remotely.