A recent report issued by a U.S. Senate Committee revealed that America’s data is in fact still at risk. Cybersecurity at eight federal agencies was found to be so poor that four of them earned grades of D, three got Cs, and only one received a B. The report also identified that the agencies failed to properly protect personally identifiable information (PII), maintain a list of all hardware and software used on agency networks, install vendor-supplied security patches in a timely manner, and were operating legacy systems. To state the obvious here, we must and can do better.
What’s even more mind blowing than this? The latest report was issued two years after these issues first became known. An earlier report released in 2018 by the U.S. Senate Committee on Homeland Security and Governmental Affairs found systemic failures by the same eight federal agencies in compliance with cybersecurity standards. The authors of the latest report wrote that, “inspectors identified many of the same issues that have plagued Federal agencies for more than a decade.”
The Department of State, having received a grade D, was found to operate without required authorizations, ran software no longer supported and failed to install timely security patches. Similarly, the other seven departments addressed in the report left PII vulnerable to potential hackers. Meeting basic cybersecurity standards in an ongoing challenge our nation is facing. With an increase in state-sponsored attacks, it’s important that both federal and enterprise organizations tighten up their cybersecurity programs to prevent sensitive data from falling into the wrong hands.
Here are some tips and tools for federal government agencies looking to beef up their cybersecurity program and ensure their organization doesn’t fall victim to hackers:
- Companies that handle PII are responsible for ensuring data confidentiality and properly securing data from breaches, leaks or tampering. There are a wide range of privacy regulations that govern how to collect, store and use PII. As such, organizations can be penalized for non-compliance and even risk losing customers for lack of trust. To protect PII, agencies should be considering Zero Trust architecture and begin the move to granular control over who’s accessing specific data and applications, how they’re accessing it, and from what. Implementing the least-privilege model limits who has access to certain data and allows you to assign access levels to sensitive data.
- Patching is key to heightened network performance. Patches are necessary to correct vulnerabilities in the software, and doing so in a timely manner is critical. This ensures assets are not susceptible to lurking individuals and keeps systems running smoothly –not to mention patch management is necessary in adhering to compliance standards. If a critical system can’t be properly patched, it should be isolated from the Internet and remainder of the network to prevent malware that exploits known vulnerabilities.
- Maintaining a list of hardware and software used on agency networks is important for asset management and decision-making. Keeping a checklist makes this task much easier and ensures that all network hardware and software is up to date at any given time, limiting potential vulnerabilities. Asset management ranges from manual to automated and should incorporate vulnerability scanning and management as well as documentation of inter-dependencies to help with resiliency initiatives. As always, having visibility is the first critical step in securing any asset. Today’s tools in endpoint profiling, NAC, and newer Zero Trust and SASE solutions can also play an important role in discovering what’s on the network, both in devices as well as applications.
- An asset management checklist (manual or from a vulnerability scanning tool) can also help companies identify legacy systems. One key indicator that hardware or software has become legacy is the absence of current support, patches, updates or maintenance. The decision to replace legacy systems comes down to business needs and requirements, but ultimately, it can lower costs, improve reliability and performance, provide greater agility and flexibility in meeting business requirements, and introduce digital capabilities.
Let’s get fresh! If your system is legacy, contact us today to discuss your options.