Nick Psaki knows a great deal about protecting and recovering agency systems. As Principal Technologist at Pure Storage, a firm that offers cloud-based data storage solutions, he helps government entities practice good cyber hygiene, get ready for potential attacks and pick up the pieces when bad things happen.
He knows how to explain what agencies must do.
Update Systems, and Maximize Their Potential
First and foremost, he believes organizations must keep their systems up to date, and one way to achieve that is by taking advantage of a platform’s ability to automatically update. He noted that software fixes are required more often than many processes for controlling software, hardware and other system modifications may allow.
That takes Psaki to another point. You need to “get an understanding of what capabilities you may have that have not yet been enabled, so that you can protect your data, and you can recover responsibly and effectively and rapidly from things that may go bump in the night,” he said.
It’s like operating a vehicle. “If you’ve got seatbelts in your car and you’re not wearing them, they don’t protect you,” Psaki explained.
Know What’s Happening Across Your Enterprise
He also urged agencies to know what’s happening across their infrastructure. “You have to know where you stand and have that observability into activities across your enterprise,” he said. “Not just who’s doing what, but in the case of system-level volume, what is doing what.”
User training ties in with that. Psaki noted that “Educated users are a tremendously powerful line of defense. If they’re aware, they can see things that are anomalous or malicious, and make the appropriate folks aware of that.”
Plan and Test Your Systems
Psaki also stressed the importance of having a plan — and practicing it. Holding tabletop exercises or staff rehearsals is “incredibly important” to understand what actions will effectively help an agency recover and who’s going to take them, he said.
He suggested hiring outside firms to do penetration testing in order to identify vulnerabilities in your agency’s infrastructure, and he said agencies should compare their security schema to published standards.
And, Psaki said, organizations should look in the mirror and consider: How often are we doing our security education?
This article is an excerpt from GovLoop’s e-book entitled “Stuck in Neutral: How to Jumpstart Change at Your Agency.”