What We Can Learn From U.S. Cybersecurity Failures
That’s the number of cyber incidents reported in 2017 alone, according to new research released by the Permanent Subcommittee on Investigations of the Senate Homeland Security Committee. Titled Federal Cybersecurity: America’s Data at Risk, it paints an incredibly troubling picture.
“Government agencies still seem to be struggling with the basics,” Jake Olcott, vice president of government affairs at cybersecurity company BitSight said to Fortune. “This has been a problem for decades. What’s interesting about this report is that it rightfully provides the scope of the problem.”
It also provides a framework for businesses that want to be more conscientious with their own cybersecurity practices. Even though it’s troubling that federal agencies have displayed this degree of negligence, that’s a small silver lining at least. In broad strokes, insights from the report are as follows:
- Update. Patch. Repeat. Per the report, the Department of Transportation uses a 48-year-old system for the reporting of hazardous materials incidents. The Department of Homeland Security runs Windows XP and Windows 2003, in spite of the fact that Microsoft no longer supports either. Given that the vast majority of successful attacks target vulnerabilities that are at least several years old, it’s imperative that you keep everything up to date, and do away with legacy infrastructure.
- Keep a proper inventory. For many of the agencies surveyed in the report, visibility was another point of failure. They barely knew what hardware and software was present on their network. Don’t make the same mistake. Ensure you have total visibility into everything that’s present on your network, from hardware and software to files.
- Don’t neglect mandatory patches. Critical security updates are released for a reason. Your organization’s patch cycle must account for this. The agencies surveyed in the report failed to patch reported vulnerabilities in a timely manner.
- Hire the right people. One of the key takeaways of the report was that many of the agencies failed because they didn’t have the right expertise on-staff. Federal agencies lacked - and still lack - skilled cybersecurity professionals. As such, the first step to addressing this issue within your own organization is to make sure you have the right people in place.
It’s sobering to think that federal agencies have been so lax with their cybersecurity for so long. But that will soon change. In the meantime, the report can be used as a litmus test of sorts for our own cybersecurity failings - a guidebook on what not to do.