Two new reports show the dismal state of cybersecurity across US federal government networks. First is this report from the General Accounting Office, which found hundreds of its earlier recommendations haven’t been implemented by numerous federal agencies. While there has been some progress since it last review these procedures, much work remains to secure our federal systems.
And more recently is this report from the Senate Homeland Security committee is now out. Despite years of warnings, federal agencies such as the State, Education, Agriculture and Health and Human Services departments have not established effective cybersecurity programs or complied with federal information security standards. We all knew that the feds were lax when it came to implementing better cybersecurity practices, but the lack of many basic security practices is alarming.
Here are nine things that most federal departments don’t do and that your company should implement.
1. Maintain an accurate and current IT asset inventory, including apps and OS versions. Do you know where all your critical apps are, and who is responsible for them? How about where outdated systems (Windows XP anyone) still live and lurk? If you don’t know, you will need to find this out, and the sooner the better.
2. Patch quickly and constantly stay up to date with them. Microsoft issues patches weekly on Tuesdays. Adobe is also generous (ahem) with its patches. But you need to get into the regular habit. Some major cyber attacks happened because businesses — some very big ones at that — took a couple of weeks to get around to doing them. (Remember WannaCry?
3. Know your risk factors and assess them regularly.
I have written lots of articles about assessing risk, including this one for CSOonline
. The key word in this task is being regular. If you are running an online business, your applications are continuously changing, and that means you need to audit these risks and ensure that something isn’t missed. The GAO report found that “while many agencies almost always designated a risk executive, few had not fully incorporated other key risk management practices, such as establishing a process for assessing agency-wide cybersecurity risks.”
4. Do you track unauthorized users’ access to your systems? It is a simple yes or no answer, but often we don’t know enough to be sure. So many attacks happen because the bad guys have gotten into our networks months ago, and had time to mess around with things before we found evidence of the intrusion.
5. Have you implemented any multi-factor authentication methods? One way to shore up your access is to use MFA. This is gaining traction but still far from universal, whether that be inside government or out.
6. Do you protect your personal identifying information (PII) and do you know when you don’t? It is important to first understand where you can find your PII, who has control over this data, and who has control over protecting it.
7. Do you have a CIO or does anyone have that role carry the authority to fix any of the above problems? While many small businesses don’t have budgets to hire a full-time CIO, someone has to take on the job — either inside the company or as a consultant. Make sure the authority to make improvements is also part of the job.
8. Do you know your IT supply chains well enough? The recent ransomware attacks have shown that many businesses haven’t developed any procedures to ensure that they are protected from these sorts of attacks.
9. Have you read and implemented the NIST standards docs?
What, you don’t know what I am talking about? Back in April 2018, the National Institute of Standards published its Framework for Improving Critical Infrastructure Cybersecurity.
Speaking of improving supply chains, another NIST document
is worthy of your attention — it lists a bunch of mitigation measures for this particular scourge. While a lot of both documents is written in government mumbo-jumbo, the basics are all spelled out how businesses can reduce the risk of cyber attacks.
Good luck with improving your defenses.