Much has been written about the tools that agencies should employ to protect their critical data against cyberattacks, but the most valuable asset – people – is often overlooked. In this case, “people” includes not just the folks in IT but almost all agency employees – in essence, anyone who manages or has access to a network. It’s everyone’s responsibility to protect our government’s data.
That’s the message of the STOP. THINK. CONNECT. campaign, which is an appeal for individuals to play a more significant role in Internet and network security. It’s designed to encourage all Internet users to be more vigilant about practicing safe, online habits; ensure that Internet safety is perceived as a shared responsibility at home, in the workplace, and throughout our communities; and transform the way the public and private sectors and the US federal government collaborate to make cybersecurity a reality.
That message should resonate particularly well withthose who are protecting some of our country’s most valuable data. These individuals must be continually vigilant about how that data is used and who’s accessing it. They must also be sure they’re following strict protocols to ensure their agency’s information remains safe.
Technology plays an important part in network defense, but at the end of the day, it’s the people who work for an agency that are making the difference. From network managers in charge of monitoring traffic to staff using their smartphones for email and everyone in between, personnel are the most important components of an effective, three-phased approach to cybersecurity.
Phase 1: Preventing an attack
A major component of preventing a cyberattack involves educating personnel to ensure they are cognizant of the importance of security and the roles each of them play in protecting data. This is much harder than it sounds when even IT administrators can feel somewhat removed from data protection if security is not their primary responsibility.
Part of this involves creating an actual written cybersecurity plan that can be disseminated to the entire IT team. That plan needs to clearly delineate the security guidelines for the entire agency, including the types of devices that can be used on the network, guidelines around using removable storage devices like USB drives, and more.
Those rules need to be clearly communicated to every member of the agency, so that they have an understanding of what is and is not allowed. Doing this will give everyone a perspective on how their daily actions can impact the agency’s security goals.
These lines of communication must remain open at all times. Any change in security procedures must be clearly shared with the organization. Education in the classroom has its place, but must be complemented with continued reinforcement in the real world. Most employees have no visibility into the vectors of network penetration, or what is at stake when someone gets access to their administration network, but they need to understand the risks they introduce to their agency through seemingly innocent actions.
IT teams also need to ensure that they regularly practice how to respond to a cybersecurity breach. For example, fire drills, similar to those that may be implemented for disasterrecovery training, should take place fairly regularly to ensure that everyone remains aware of what to do in case of an emergency.
Managers should also perform occasional internal audits to make sure individuals are following the correct procedures. It’s human nature to forget something that was taught three months ago; that’s what happens when other priorities take precedence. Check-in’s can help ensure that a focus on security remains top-of-mind.
IT personnel will need to be furnished with the appropriate tools to help them thwart and respond to potential attacks. As such, managers must assemble a collection of software solutions to monitor and maintain the health and security of the network. Network monitoring, log and event management, patch management, and network configuration tools should all be put in place to alert administrators to potential threats, and help them to quickly respond to any issues that may arise.
Phase 2: Responding to an attack
Reaction time is critical during an attack. A slow response can lead to data being compromised and significant network downtime, neither of which is acceptable. Therefore, it’s important for managers to be able to respond with haste and attempt to identify and rectify the problem in real-time, before any major damage occurs.
The first order of business is to use the aforementioned softwareto identify where the breach may have occurred and address the intrusion. For instance, log and event management solutions can help mitigate issues through active responses and alerts, pinpoint where a particular threat may be occurring on the network, and automatically cut off access to a device or user. Device tracking software can work in tandem with these solutions to identify specific users and devices that may be to blame, making it easier for teams to hunt down the root of the problem.
However, tools are only as good as the training and procedures that have been put in place. IT administrators still need to be highly skilled in the art of managing a security situation. They need to be ready to astutely manage software during a crisis, reacting and adapting to dynamic threat environments that can change literally within seconds.
They must also be on-call and available. Attacks don’t necessarily happen during business hours, and the need for employee backup is essential. For example, what if an attack happens on a holiday or when a team is short-staffed? Will there be someone there, ready to react? How fast can they respond? These are not questions security managers will want to have to ask in the heat of the moment.
Phase 3: Attack post-mortem
Once things cool down, managers should perform a post-mortem on the situation. During this phase, they can explore what caused the breach, how teams reacted, the outcome, and how things can be handled better in the future.
This is the point where everything must be assessed, including security plans, regulations and procedures, reaction times, and the solutions that were used. This is the opportunity to get better, even if things went well. In particular, it’s the time when managers should review the processes they put in place in Phase 1 – before the breach initially occurred – and determine how to enhance their policies and communicate with all personnel to ensure it doesn’t happen again.
Finger pointing is one thing that should not happen during the post-attack phase. It should not be about assigning blame or finding a scapegoat. The reality is, if a breach happens, very rarely is a single person ever at fault, assuming the organization is generally composed of well-intentioned employees. Security issues are the purview of the entire agency. As such, managers should look for ways to make the entire team better by helping them become more aware of the threats that are out there, and helping them do the best job possible to keep those threats at bay.
Joel Dolisy is a Senior Vice President and CTO/CIO at SolarWinds, an IT management software provider based in Austin, Texas. With more than 20 years of experience and a proven track record of driving development organizations to support growth of software companies, Joel leads the SolarWinds engineering group where he brings his deep and broad experience in setting technology and technical strategies for both products and platform infrastructure projects. Joel is also a key partner in defining the product strategy for the company, both from an organic development and an M&A standpoint. He is responsible for the strategy and delivery of the internal business and online systems that SolarWinds relies on for its daily operation. Joel has worked for various IT management software companies in the US for the past 16 years, including NetIQ. Before calling the US home, Joel worked several years for companies such as Philips electronics in Belgium working on multimedia platforms.