Cybersecurity is not just about digital tools; many security failures have to do with people or processes. That is why Matt Bishop, co-director of UC Davis’ Computer Security Library, and Bob Smock, vice president of consulting security and risk management for Gartner, laid out the top 10 non-technology cybersecurity challenges at Tuesday’s Cybersecurity Education Summit.
“In our program evaluations, what we typically find is that a full two-thirds of our findings have nothing to do with technology. It’s all people; it’s all process,” Smock said.
1. Change Management
Consistent and comprehensive teams that can look at how systems are changing and how those changes affect all other systems is important. This can extend from making sure no system is forgotten during patches and updates, to communicating between developer teams as updates are created.
“As critical changes are made to your infrastructure, you have someone with a security eye looking at it, to gauge, not the impact necessarily of the change itself but the downstream impact to other systems, other pieces of data, other processes,” Smock said.
2. Internal Network Transmission Protection
Many entities focus on external-facing security with limited internal protections. This means that once an actor, whether it is an external or internal threat, is in, they can take advantage of minimal network security.
3. Hard Copy Data Protection
“This is one of the most overlooked data leakage opportunities that we see in the country. Everyone seems to have taken on the mantra of protecting their electronic data and have forgotten the stacks of paper that they still use,” Smock said.
Digital data is often well-secured, but many agencies do not securely dispose of documents.
“Think dumpster diving: It’s very primitive, very crude, extremely not technical and very effective,” Bishop said.
4. Event Management
Finding a comprehensive security perspective will offer analysis where people cannot.
“The lack of complete view is critical here. And it’s not just the lack of view of what the attacker did, it’s lack of view of the effects. If one system is broken into, don’t confine your analysis to that system. Look where it goes,” Bishop said.
5. Insufficient Security Resources
Finding ways to increase the ability to maintain minimum due diligence through leveraging tools will simplify things.
6. Identity and Access Management
Remote access to lock out users is important, but so is being aware of name collision, when two people have similar names or logins.
7. Mobile Data Protection
A forgotten laptop or device can be encrypted or remotely disconnected, which up to 96 percent of Gartner customers know since they have lost devices.
8. Business Impact Assessment
“There seems to be a disconnect between the IT guys and the business guys,” Smock said.
Not understanding how important data loss is or business processes are can negatively impact the business’ reputation.
9. Secure System
Building in transaction assurance to code is part of keeping a system secure.
“It takes time; it takes a lot more testing and a lot more effort,” Bishop said.
10. Database Protection
Up to 99 percent of Gartner customers, according to Smock, have seen breaches with big data.
“Big data is an important issue. Yes, it should be encrypted. Big data is the number one problem we see most people not doing in public sector today,” Smock said.
“Compliance,” he added, “does not equal security.”
