Jul 03 2024

Cyber Hygiene Fixes for the Overconfident Agency

The government must invest in practices and procedures for maintaining resilient systems, devices, networks and data.

There exists a major disconnect between the trust most agencies put in their current cybersecurity strategies and their actual ability to defend themselves.

While 88 percent of global IT and security leaders feel confident in their organizations’ ability to manage cyber risk, 51 percent report that more than half of their cyber incidents were due to poor cyber hygiene, according to an April study from ExtraHop.

Cyber hygiene consists of practices and procedures that organizations use to maintain the health and security resilience of their systems, devices, networks and data. For agencies that provide essential services and host critical data and assets, the risks involved with having more reactive than proactive cyber strategies are dire.

Pitfalls stem from allowing points of security failure that hackers can take advantage of. No cybersecurity solution is effective enough with a set-and-forget strategy, and federal IT leaders must adopt a new mindset to keep pace with advancing threats.

Click the banner below to begin developing a comprehensive cyber resilience strategy.


Understanding the Likelihood and Risks of Cyberattacks

The best way for IT leaders to understand how to proactively tackle cybersecurity is to understand the risks on the rise and the high likelihood that their agencies could become targets. ExtraHop found that 58 percent of global IT security leaders reported experiencing six or more ransomware incidents in the past year, and 41.6 percent of government IT leaders paid between $500,000 and $1 million in ransomware payments in that same time frame.

Aside from the financial implications and being forced to communicate with criminals, ransomware attacks can require agencies to pause operations, with potentially catastrophic consequences for critical infrastructure or services. These attacks also take up valuable time that security operations center analysts could instead use to focus on other essential tasks, opening the possibility for more gaps in their defenses.

Gone are the days where agencies could treat cyberattacks as “if” scenarios; they’ve become the ultimate “when” situations.

Cyber Hygiene Requires Continuous Effort

Despite a clear uptick in attacks, government IT has some of the poorest cyber hygiene, according to ExtraHop.

DISCOVER: CMMC 2.0 comes with new security requirements for DOD contractors.

This does not necessarily mean these leaders aren’t relying on valuable solutions or tools. It means they’re not putting enough time or focus into looking for additional gaps or applying best practices to fix them.

These issues are not exclusive to the government. Despite frequent warnings around zero days and regularly shared patches for common vulnerabilities, many organizations still neglect to update their software; nearly half are still running at least one insecure network protocol that threat actors are known to exploit, according to ExtraHop. IT leaders cannot wait for their software to be exploited to act.

Certain policies should require regular software updates to cover ground on critical patches and should extend from old software to new. For example, generative artificial intelligence is finding its place in every industry, but any integration must be accompanied by strong policies designed to protect sensitive data from becoming vulnerable, whether through employee misuse of AI tools or large language model exploits.

Federal IT leaders should continually search for solutions that can reveal risks, help build business resilience and offer additional avenues of security. While security technology adoption is growing, only around a third of respondents globally had deployed or planned to deploy any individual cyber solution — including network detection and response, endpoint detection and response, or security information and event management — ExtraHop found.

EXPLORE: Agencies should take these four steps to secure systems after the CISA breach.

Prioritizing Cybersecurity in Agencies’ Budget Cycles

Budget will be a constant battle for most agencies, and few government IT leaders are getting the funding they need to be effective. In fact, 31 percent sought a budget increase by more than half, according to the ExtraHop study.

Elevating these concerns requires a cybersecurity advocate in budget conversations who can point out that agencies must comply with security mandates and executive orders. It is essential that IT leaders communicate upward to agency decision-makers that cybersecurity is worth every penny.

This includes purchasing tools, hiring staff and conducting training to prevent social engineering attacks, which remain a primary way for threat actors to gain access to an agency’s network. A human element was involved in more than two-thirds of data breaches in the past year, according to Verizon’s 2024 Data Breach Investigations Report.

Harbucks/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.