Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
APR - JUN 201919 to reduce the patching and upgrade workload for public sector IT staff.Legacy ApplicationsCustom legacy applications require additional effort to secure, and assessment of risk and vulnerabilities is the responsibility of the organization that developed them. What appears secure and safe today may not be the case tomorrow as risks and vulnerabilities evolve rapidly. Custom legacy applications can be replaced or moved to cloud platforms that provide more elaborate security layers like Salesforce, Microsoft Azure, AWS, or Google. A technology ecosystem needs to adopt standards with these platforms that can simplify development of custom applications when they are needed and reduce overall risk. Governance and ITILA strong IT governance program and best practices from the ITIL (Information Technology Infrastructure Library) framework are an important part of a secure technology ecosystem. Formal IT governance standards will ensure new technology solutions align with the rest of the technologies in use and can be operated securely. Best practices from the ITIL framework will maintain controls on change management to prevent unauthorized changes to firewalls, servers, or other systems that can pose significant risks if compromised. Awareness TrainingA secure technology ecosystem is still vulnerable if users are not trained to recognize phishing emails, business compromise email scams, or other daily cyber risks. Many breaches can begin with a user opening an email attachment with malware or following a link to a malware site. Annual cyber awareness training should be provided to maintain organizational awareness and reduce the risk of a compromise. Many organizations conduct periodic tests of their awareness training by sending test phishing emails to determine how many employees open questionable attachments or follow suspicious links. This strategy can help organizations provide remedial training to those that just can't resist clicking away at suspicious emails. Information SharingAnother important strategy for public sector cyber security is information sharing and partnerships with organizations like the FBI and MS-ISAC (Multi-State Information Sharing and Analysis Center). These partnerships can provide current information about risks and vulnerabilities that are impacting public sector organizations and recommendations for prevention and remediation.Don't Forget the Fish TankNew IoT (Internet of Things) devices are rapidly being adopted and provide real-time data and new capabilities in operations and delivering services. New IoT sensors, HVAC systems, cameras, and even the Amazon Alexa are making their way into technology ecosystems, but many come without stringent standards in security. Recently a casino was hacked through a thermometer in a fish tank in the lobby. The thermometer was an IoT device that provided temperature monitoring but lacked the proper security to keep attackers from compromising it. Hackers found the vulnerability and pulled a database of information on high profile customers out of the casino and to the cloud. IoT devices need the proper security controls and monitoring like any other technology asset. Too often organizations look on these conveniences as low-risk solutions but attackers may find these IoT devices to be the easiest way to get into critical systems.The Only Constant is ChangeCyber security and management of organizational risk will need to continue evolving alongside the new risks and vulnerabilities that attackers leverage each day. The public sector needs to remain agile to adopt new strategies to counter evolving risks and make cyber security a priority for every single person in the organization. Jonathan Behnke
< Page 9 | Page 11 >