[BreachExchange] 10 tips for agencies looking to address cyber threats

[Audrey McNeil]

https://fcw.com/articles/2018/03/23/comment-cyber-dangelo.
aspx?admgarea=TC_Opinion

Cybersecurity is top-of-mind in the federal government, but the reality is
federal budget processes and constraints have boxed in many federal
agencies, limiting their ability to protect against the latest threats. And
when tight budgets limit hiring, strapped teams cannot keep up with new and
increasingly complicated attacks.

Cybersecurity changes continue to accelerate, including new, complex
technologies to incorporate and new threats to protect against.
Historically, federal IT has focused its investments on endpoint solutions
protecting the network infrastructure, which includes relatively
unsophisticated email gateway solutions for anti-virus and spam.

However, these solutions only address 10 percent of the problem. Studies
consistently find that about 90 percent of advanced attacks begin with new
forms of email threats that target individuals, not networks. These attacks
include business email compromise (BEC), phishing and ransomware, and pose
a serious risk of financial loss and loss of intellectual property.


Beyond these email threats, attackers also target social networks and
mobile devices. For example, spoofing a real employee on a social media
platform can be a pathway to obtaining sensitive data. And many malicious
apps also contain malware designed to access this data or steal login
information.

Given all these new threat vectors, federal agencies must increase their
cyber defense strategies. The following 10 tips are designed to help
federal IT teams better prioritize cyber threats, shift their approach to
spending and improve cyber defense.

1. Know the current landscape. Talk to peers, read federal publications
(especially from the FBI) and attend seminars and webinars to learn how to
solve challenges and stay ahead of pressing threats.

2. Take a TCO approach. Avoid merely looking at the acquisition cost of a
cybersecurity solution. Fixing problems will likely cost more than the
automated tool in question. Also, consider the lost opportunity cost. For
example, an automated solution that quarantines an intrusion allows teams
to stay focused on more strategic projects. Cyber vendors and integration
partners can provide a broader context for calculating the total cost of
ownership for specific solutions.

3. Evaluate your specific threat profile. A Department of Defense component
may face very different threats than a civilian agency. Some questions to
ask: Do we have visibility into where email is coming from? Are BYOD
devices used? What is the role of social media in the department, and are
there policies for using it? The key to fully understanding your threat
profile is having reporting tools that reveal where potential attacks are
coming from and your vulnerabilities. If these tools aren't available,
consider partnering with a service provider.

4. Ask vendors for proofs of concept. This is an excellent way to gain
insight into existing threats and vulnerabilities and determine specific
costs for improving your cybersecurity profile. Beware of any vendor that
shies away from a POC. This is a red flag that the efficacy of that
vendor's solutions is poor or lacking by comparison.

5. Retire old solutions. As contract cycles end, retire old solutions for
new ones. In the past few years, next-generation cybersecurity solutions
have emerged offering significantly better protection than their
predecessors – and these solutions don't necessarily originate from the
same vendors that were the leaders at that time.

6. Take a layered security approach. To prioritize spending, focus on the
individual, the devices used and the data created across multiple mediums:
email, mobile, SaaS applications and social channels.

7. Identify the highest priority threats. Explore your specific
vulnerabilities and weakest links. Funds tend to materialize immediately
after a public breach, but they can also materialize if a vulnerability is
believed to be severe enough. While it is not an enviable position to call
out existing gaps in cyber protection, the alternative – a possible
successful attack – can have a much more devastating and longer lasting
effect.

8. Apply incremental budget increases. Ensure any incremental budget
increases are applied to the highest priority threats.

9. Consider outsourcing benefits. Instead of acquiring new hardware,
examine the benefits of outsourcing less critical infrastructure. An
increasing number of agencies are taking advantage of cloud-based
initiatives such as Office 365 and moving towards acquiring cloud-enabled
cyber solutions.

10. Find the right vendor. It is critically important to pick a vendor that
has the right vision, organizational structure, infrastructure and
scalability to stay one step ahead of the ever-changing threat landscape.
The vendor community shifts, expands and consolidates at once, so
investigate the offerings of all the top vendors to see which companies
continue to evolve and outpace the emerging threat landscape.

In cybersecurity, complacency is essentially synonymous with inviting in
the attackers. Fortunately, even in the face of tight budgets, agencies can
increase their knowledge and their cyber defense profile by accessing
available resources and working with partners and vendors that are on the
frontlines of defense.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180323/6db6fbc4/attachment.html>