Effective Security is Adaptive SecurityProtecting the public sector has arguably never been more complicated than it is today. By: Michael Musick
Whether it is government agencies or higher education institutions, public sector organizations are increasingly coming under attack. According to a survey by consulting firm PricewaterhouseCoopers (PwC), in 2015, the number of detected security incidents jumped 137 percent from the prior year. In addition, estimated financial losses as a result of security incidents climbed 27 percent compared to 2014.
The situation is exacerbated by a lack of budget, time, and expertise, and demands a non-traditional approach to thinking about security that can meet the evolving nature of threats public sector organizations are facing. The key is for organizations to adopt a new security model that can change as policies, procedures, infrastructure and increasingly advanced threats change and evolve. We align our approach with Gartner’s Adaptive Security Architecture Framework, a malleable security strategy designed to help organizations take a broader, more effective approach to securing their people, process and data.
Time for a Change
One of the biggest challenges affecting the public sector is comprehensively addressing issues of risk and security while balancing the need to put out cyber-security fires as they arise. Due to the volume and the sensitivity of information involved, educational institutions often have it worse than others. In fact, an article from Security Magazine cited data from security vendor SysCloud that asserted 35 percent of all security breaches occur in higher education.
The constant pressure applied by the ongoing attacks makes it easy for organizations to get lost in the daily grind of blocking, tackling and responding to incidents When attacks occur, an organization’s data, funds, and reputation are on the line, and a board of directors is much more likely to be swayed to spend budget on mitigation and eradication tied to a breach that has just occurred. Ironically, this makes focusing on the larger, strategic cybersecurity initiatives needed to protect your environment that much more difficult. After all, focusing on solving a breach that has just happened only prepares you to deal with yesterday’s threats – not be ready for today’s or future attacks.
To break that cycle, organizations need to understand their risk and begin aligning their processes around four key areas that form the foundation of the adaptive security approach: prediction, prevention, detection, and response.
Adopting the Adaptive Security Model
Approached correctly, adaptive security can adapt to the evolving policies, procedures, infrastructure, and threat landscape facing the public sector. For it to work, organizations need to assess their cybersecurity risk and determine their risk tolerance, which will guide budget conversations related to security.
You also need to understand your entire environment and where assets such as servers, routers, and applications are located and housed on your network. One of the critical challenges facing public institutions in particular is knowing where data resides in an institution where individual departments may have high levels of control over assets and information as opposed to being centralized under an organization-wide strategy. Once you understand where your assets and information are, a vulnerability assessment can help identify how and where the attackers might sneak in.
Threat intelligence is a key aspect of the predict, prevent, and detect pillars of the strategy. With the help of the right partners, organizations can leverage information about the tactics, techniques, and procedures of attackers to spot attackers before critical systems are accessed and data is stolen. Knowing for example that a specific hacktivist group likes to launch DNS reflection attacks can help the security team build a more robust defense.
Using the adaptive security model, organizations can better define their strengths and weaknesses. Focusing too much on perimeter controls is one of the traditional missteps public sector organizations make and is often the result of organizations putting out fires and then basing their budgets and security investments on those incidents. Changing the approach can effectively help avoid common pitfalls like this and help organizations more accurately assess what they are doing well and what aspects of security may require more strategic investment or third-party assistance.
Every organization has its own unique challenges, but by adopting adaptive security, your organization can make sense of their environment, understand their risks, and make smarter decisions about where budget, time, and resources are allocated.