Take a moment and think about yourself, your team and your department. More specifically, consider how you would rate the security health across your team and organization.
This seems like a loaded question, but here are a few things to consider when making that determination:
- Do you receive regular security training?
- Do you receive security incident alerts?
- Do you share login credentials?
- Is security discussed at team and group meetings?
- Are there passwords on whiteboards?
- Does your organization test employees for security IQ?
These aren’t in-depth, probing questions, but they are the types of questions that can help you get a quick pulse of the security health at your agency, said Bob Ainsbury, Chief Product Officer at Granicus.
Speaking at Granicus’s 2017 Digital Communications Summit in Washington, D.C., Ainsbury equated this short, security questionnaire to the types of questions doctors ask when they’re trying to assess a patient’s overall health. Do you exercise? Do you smoke? How many hours of sleep do you get? Based on a few, simple questions they can understand what a patient’s health condition is likely to be.
Quoting computing expert Eugene Spafford, Ainsbury explained that those in the security field are very much like cardiologists. “Our patients know that lack of exercise, too much dietary fat, and smoking are all bad for them,” he said. “But they will continue to smoke, eat fried foods, and practice being couch potatoes until they have their infarction.”
The truth about cybersecurity is that those trying to protect their assets can never win. They can only get a draw. Government agencies at all levels are under a constant barrage of intrusion attempts every day, and it only takes one vulnerability, one incident for an attacker to be successful.
To help agencies better defend against these attacks, Ainsbury shared how agencies can modify their behavior to get a “draw.”
Let’s start with what we know. There are two ways that you can have vulnerabilities: people and systems.
With that in mind, Ainsbury shared Granicus’s internal approach to reducing the human risks. Internally, employees are required to do annual security awareness training. It’s interactive and serves as a refresher to keep security top of mind for all staff. For example, employees are shown a picture of an office setting and asked to identify things that could post a security risk, such as leaving sensitive information on a whiteboard or throwing confidential information in the trash. This kind of employee training isn’t the end-all, be-all but rather a part of a larger security ecosystem, he said.
On the tech side, systems are continuously monitored for any anomalies and intrusion attempts.
As a leader in cloud-based solutions for communications, Granicus strives to help government realize better outcomes and have a greater impact for the citizens they serve. As part of those efforts, security in the cloud is top of mind.
Cloud computing, at its core, is the practice of using a network of remote servers, accessed via the internet to store, manage and process data, rather than on a local system. In other words, your stuff is on other people’s systems and potentially accessible by billions of devices. “What could go wrong?” Ainsbury said jokingly.
In terms of cloud security, he stressed the importance of programs like the Federal Risk and Authorization Management Program (FedRAMP), which provides a standardized approach for securing, assessing, authorizing and continuously monitoring cloud products and services for government use. Agencies are, in most cases, required to use FedRAMP-approved cloud services. But there are a few things they should keep in mind:
- A company doesn’t get FedRAMP authorized – individual products or services do.
- Just because a product runs in a FedRAMP cloud provider (like Amazon) doesn’t mean that the application is FedRAMP’d …..far from it.
- Agencies have to use FedRAMP’d solutions
- FedRAMP uses a very rigorous and effective process
- An agency has security obligations even when you use a FedRAMP’d product.
As agencies work to close the security gap through programs like FedRAMP and better cyber hygiene, Ainsbury reiterated that you have to make security part of your regular dialogue and that employees should be trained, re-trained and tested.