In today’s ever-evolving and complex IT environment, security is more critical than ever. However, with the many responsibilities IT professionals juggle daily, the most important parts of a security model can be easily overlooked.
Enforcing good information security habits across your organization can be challenging, given constraints such as budgets, time, the complexity of compliance requests, and the evolving capabilities of attackers.
Internal end users, whether they are agency employees or contractors, can also become obstacles to good security — and sometimes, unwittingly, even become insider threats.
“End users in agencies can be a really difficult factor for security in government today,” noted Arthur Bradway, Senior Federal Sales Engineer at SolarWinds. “Many people bring in bad habits and poor cyber hygiene from their personal lives to their jobs in government. It’s not intentional, but they expect a lot — to be constantly connected, to use any device, and to do it however they want. And security is not always top of mind for them.”
Governments are also relying more on outside contractors, increasing the risk of potential threats. Contractors without proper security training may accidentally expose, delete, or modify critical data. They also might access resources that are not necessary to do their job, or use unsecured networks and Wi-Fi, all of which increase security vulnerabilities for an agency.
There are other challenges for IT administrators, too. An increase in the number of devices and the volume of network activity can present difficulties. The growing use of cloud apps and infrastructure increases the attack vector. In addition, the challenge of implementing good cyber hygiene and training all end users across large agencies — as well as getting leadership buy-in to do so — can sometimes seem insurmountable.
How can agencies take back control and reintroduce and reimplement information security in today’s age and IT environment?
Implementing stronger IT controls and compliance monitoring is the way forward for agencies.
According to respondents of the recent SolarWinds Federal Cybersecurity Survey Report, agencies with evidence of robust IT controls are more likely to possess the hallmarks of strong IT security environments.
IT controls consist of the procedures and policies that help ensure agency employees are reasonably using technologies for their intended purposes. These involve embedding security practices and conversations about good security habits within an agency’s daily office environment.
Numerous factors contribute to the successful risk management of threats posed by careless insiders:
• A concerted effort to apply security best practices
• End-user security awareness training
• Intrusion detection and prevention tools
• Employee background checks
• Patching
• Network traffic encryption
“Agencies that have worked on bolstering their IT controls experience fewer threats and are able to respond more quickly to those that do occur,” Bradway explained. They also enjoy more positive results when implementing IT modernization initiatives, and are ready to comply with regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Information Security Management Act (FISMA).
“Building strong IT controls requires a deep level of visibility into one’s IT infrastructure, which network and application performance monitoring tools provide,” Bradway said. These types of tools continuously collect data on operations and alert IT administrators about anomalies, such as lags in performance or intrusion attempts, providing constant and valuable insight into network activities.
To strengthen their IT controls, these agencies are adapting configuration and patch management, web application security, file integrity monitoring and, of course, security. High-performing agencies with strong IT controls experience fewer cyberthreats, faster response times, and more positive results from IT modernization initiatives.
This article is an expert from GovLoop’s recent report, “How Government Can Embed Information Security Into IT Best Practices.” Download the full report here.