Fending off cybersecurity breaches from external sources is a difficult task — but when breach problems arise from within an organization, the challenge of protecting information becomes even more difficult.
While U.S. government agencies have intensified their use of cybersecurity control technologies, it appears that improved technology will fall short of meeting the security challenge unless the implementation is user-friendly.
In a recent survey of federal cybersecurity professionals, respondents reported that half of all agency security breaches were caused by a lack of user compliance — that is, employees ignored or took shortcuts around available cybersecurity controls and tools.
If the use of cybersecurity control measures are too cumbersome to use — or if the controls interfere with an employee’s ability to perform at a satisfactory level — there is a good chance that the controls will be bypassed, the survey indicated.
End Users Take End Runs
The study, which was conducted by MeriTalk, compared what cybersecurity professionals report about their agency’s security with what end users — federal workers — actually experience. Federal agencies often fail to take the user experience into account when deploying cybersecurity solutions, it found.
“As a direct result, end users often circumvent security measures and open their agencies up to data theft, data loss, and denial-of-service attacks,” MeriTalk says in summarizing its findings.
Federal cybersecurity specialists are intensely worried about threats to their IT systems, according to the survey, which was underwritten by Akamai Technologies. For example, 74 percent of the respondents to the survey said they were not prepared for an international cyberattack. More than 70 percent of survey respondents said they were unprepared for such challenges as coping with a denial-of-service attack, providing adequate cloud security, or protecting mobile device utilization.
Asked to rank various challenges on a scale from lowest to highest, 74 percent of respondents said their top priority was preventing data theft, followed by ensuring a thorough Web security strategy (56 percent). Providing a user-friendly experience across all security applications came in last on cybersecurity professionals’ list of priorities with only 40 percent reporting it as a top concern.
Nearly two-thirds of end users believed the security protocols at their agency were burdensome and time-consuming, while 69 percent said at least some portion of their work took longer than it should have due to security measures.
Nearly 20 percent of end users could recall an instance when they were unable to complete a work assignment on time because of a security measure, according to the survey. As a result, 31 percent used some kind of security workaround at least once a week.
The functions that were associated most often with breaches are the same functions that are used in ordinary IT tasks, such as surfing the Web, downloading files, accessing networks, transferring files and uploading files. The most challenging end user applications to secure in agency workstations are email, external websites and the Internet. These are the same tools that more than 80 percent of end users rely on daily.
“More security rules, more security tasks, and more security delays have done little to drive more user buy-in for cybersecurity,” said Tom Ruff, vice president for the public sector at Akamai. “Without question, federal cybersecurity pros have a tough job, but they must start working with end users as partners instead of adversaries. It is a team game, and better support for users will deliver better results for security.”
In addition to technology improvements, work practices and agency culture need attention, said MeriTalk founder Steve O’Keeffe.
“Agencies must focus on vigilance instead of compliance. Cybersecurity is not a one-size-fits-all check box; it is a discipline. If we empower cybersecurity professionals to respond to the challenge with vigilance rather than paperwork, agency culture — and end user behavior — will follow,” O’Keeffe told the E-Commerce Times.
“In addition, cybersecurity pros must work closely with agency leadership and end users to understand their business processes and goals, and then develop policies and implement technology that work with them rather than undermine them. This ongoing dialogue — coupled with regular end user education — is necessary for agencies to cultivate a shared commitment to ensuring security,” he said.
The Federal Buzz: Big Blue Capitol; Cybersecurity Plan
Big Blue Sets Federal Center: To boost its presence in the federal IT market, IBM has set up a facility to support the adoption of cloud computing by the U.S. government. The company’s new Federal Cloud Innovation Center in Washington, D.C., is designed to bring IBM’s cloud computing research efforts closer to federal agencies to develop specialized technologies and methods for building mission-ready clouds.
“The center will serve both as a research hub and education center for our federal clients and partners. Via the center, IBM will tap the expertise of company researchers and other domain experts to work directly with clients on cloud technology projects,” Jane Snowdon, chief innovation officer at IBM Federal, told the E-Commerce Times.
The center will draw on the expertise of more than 500 IBM professionals aligned to the facility, including consultants, researchers, IT infrastructure architects and software developers. Company consultants with agency-specific expertise will also be on staff to help each federal agency quickly and effectively take advantage of the cloud.
Specific capabilities will include Software as a Service, Platform as a Service, Infrastructure as a Service and Business Process as a Service. In addition, the center will offer assistance in cloud security measures, and provide resources related to the use of open standards.
“A big focus will be on helping agencies understand how they can build clouds using emerging open standards which help them avoid building dead-end clouds,” Snowdon said.
IBM’s move conforms with an Obama administration effort to improve interaction with the private sector. The administration even set a policy goal to diminish myths surrounding the reluctance of federal IT personnel to engage with commercial providers, especially in the acquisition process.
While IBM established the center on its own merits, the company “understands that education is an important part of improving the procurement process,” Snowdon said. “The private sector has a tremendous amount of resources available for the government, and the IBM center is one way we feel we can share and collaborate in an open way with our government partners,” she said.
Cybersecurity Framework: The National Institute of Standards and Technology has released its preliminary cybersecurity framework to help critical infrastructure owners and operators reduce risks in industries such as power generation, transportation and telecommunications.
NIST will hold a workshop to discuss the framework on Nov. 14 and 15 at North Carolina State University. NIST is aiming to release the official framework in February 2014, as called for in an Obama administration executive order.