Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Greg Kushto
Greg Kushto
Connect Directly
E-Mail vvv

4 Security Lessons Federal IT Pros Can Teach the Private Sector

With a little research and basic planning, small companies can make big strides against the cybersecurity threats they face. Here's how.

Whether in the private or federal space, there's one thing all IT security teams must deal with: making the most of limited resources to protect sensitive information. And while budgets are slow to increase, threats develop fast. Anyone with an Internet connection can now launch a cyberattack from anywhere in the world by just pressing a button.

How can IT professionals effectively stretch their limited resources across their entire security domain? This is a dilemma that federal agencies have been dealing with for decades, and their solutions are something that anyone building a security infrastructure in the private sector should consider.

Lesson 1: Focus on the Fundamentals
Government agencies are responsible for some of the most sensitive information on the globe. What makes public sector cybersecurity more effective than a private enterprise with five times their overall IT operating budget? They know where to focus their limited resources, and they do the heavy work up front.

Private sector IT teams often fall victim to a common problem: being reactive instead of proactive in their approach to cybersecurity. In many cases, it's only after a breach that a company will decide it's finally time to invest in security infrastructure. Unfortunately, by that point, the goal is no longer to prevent an attack. It's to prevent it from happening again.

This reactive approach in the private sector often stems from the notion that since the organization has never been attacked before, there is no reason to spend precious resources planning for something that may not happen at all. With competing IT priorities, private sector organizations often choose to put off spending money on security tools, especially with competing IT priorities.

The reality, of course, is that no organization can afford to wait. Worse, an organization that holds off on creating a robust security infrastructure until it is hit by its first attack will spend much more time and resources remediating the threat than it would have spent preventing the threat. By 2021, cybercrime will be a $6 trillion industry. Organizations should do all they can now to avoid becoming a part of that statistic.

Lesson 2: Know Your Weaknesses
Every organization or business has unique vulnerabilities. Security teams should focus their cybersecurity efforts on the weakest areas to get the most out of their security investments.

For example, ransomware attacks usually target small and midsize businesses, local governments, and other organizations without strong backup strategies in place. Conversely, most small and midsize businesses will never need to worry about being the focus of an attack signature coming out of a foreign nation-state. For the US government, however, counter-intelligence is a constant threat.

With a little research and some basic planning, organizations can triage potential threats and immediately make huge strides in protecting against the most prominent cybersecurity concerns facing them and their industry.

Lesson 3: Create a Culture Around Security
Protecting citizen data and other sensitive information is a core part of the mission for most federal agencies, and everyone who interacts with that data is responsible for it — not just the IT team. Federal employees all recognize security concerns. Private sector organizations have a tendency to silo security, making protection the job of a select few. However, as the saying goes, a chain is only as strong as its weakest link, and every person in the organization represents a link.

Conversely, not having a mutual understanding of security culture across the organization can become problematic quickly. For example, it's easier today than ever before for just about anyone to procure working space outside of their organization's environment, whether that be spinning up an Amazon Web Services spot, creating a shared drive, or opening up a survey. Each of these instances opens up another attack surface that an organization's IT team may not even be aware of. Everyone, including federal agencies, can do better at preventing shadow IT on their networks by getting out in front of it with bring-your-own-device policies and regular communication with the business around IT needs and priorities.

In addition to having a strong internal culture of security, the federal government makes a habit of sharing information externally, not only with its own government sector but across the whole of government. Private enterprises often shy away from being public about security breaches or they work only with similar businesses to share security information. The problem with this approach is that security teams are unaware of many avoidable security threats that could have been stopped with a larger and more open communication network.

Lesson 4: Take Advantage of Security Resources
The government has dedicated a significant amount of resources to develop security guidelines that are publicly available. Examples include the NIST Special Publication series that deals with issues in cybersecurity policy and procedures, the NIST Cyber Security Framework, which gives a great example of how to create an overall security architecture, and US CERT, an agency which provides ongoing updates around current cybersecurity issues. Anyone can review these guidelines and get solid recommendations on how to build a cybersecurity framework, how to staff it, and how to maintain it. These resources are a great place for organizations to start and will go a long way toward keeping them safe from cyberattacks and security breaches. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Developers: The Cause of and Solution to Security's Biggest Problems."

Greg Kushto joined Force 3 in 2014 and is the Vice President of Sales Engineering. In this role, he is responsible for creating comprehensive security solutions for Force 3's client base within both the public and private sector, and ensuring that customers properly align ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
10/25/2019 | 11:03:43 AM
Three Lessons --What about the second 3?
Ummm, if there are two #3 lessons, shouldn't there be 4 lessons total?  Or 3 lessons just sounds better than 4?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
PUBLISHED: 2020-08-10
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Mes...