OpenGov recently had the chance to speak to Mr. Aravindan Anandan, Consulting Systems Engineer Asia Pacific Barracuda Networks, on the current threat landscape facing the public sector and what he advises organisations do, in order to better protect themselves.
What do you see as trending right now in the Cyber Security realm?
Cybercrimes tend to occur in places with high concentration of wealth and relatively porous cyber defences and attackers continue to increase in reach and creativity
Threats from third party providers- Multinational companies with long supply chains are more susceptible to cybercrimes as they offer more potential points of attack. A range of valuable and sensitive information is often shared with suppliers, and when that information is shared, direct control is lost. This leads to an increased risk of its confidentiality and integrity being compromised
Increasing plans for regulation around the collection, storage and use of information along with severe penalties for loss of data and breach notification.
In Asia-Pacific, the attacks are becoming increasingly sophisticated and Advanced Persistent Threat (APT) attacks have become a major concern over the last two years.
At the heart of this, the focus on the threat vectors seems to be the same though. Users, Mobile devices, web form some of the most sought after threat vectors.
What solutions do you provide to the public sector?
From a security perspective, the public sector faces more or less the same challenges as the other industries. They are increasingly adopting to web technologies and focussing on moving resources to the internet. So application security solutions are much needed.
What do you feel is the most critical mistake that public sector agencies make when planning their security strategy?
Failure to view data security as a "business problem" and not just an "IT problem"
Emailing unencrypted data, having unencrypted data on mobile phones and taking sensitive data home on work computers
Not holding employees accountable. It's crucial to make sure everyone in the company understands how important it is to use effective cyber security practices. It is also a good idea to provide an online security manual and ask employees to sign an acknowledgement form after training to indicate they understand and will abide by company policies
There is not much emphasis given to some of the newer security challenges, so to speak. These could be attributed to knowledge updates among the staff but there is clearly a lack of focus on channelized usage of BYOD, application security practices etc.
What are your strengths when dealing with government data security?
Barracuda provides all the cutting-edge security and data protection solutions needed to deploy effective Defense in Depth as a seamless network fabric
Products and cloud services integrate security, performance optimization, and data loss prevention (DLP) to simplify network architectures and minimize technology costs
Barracuda logging and reporting features minimize the time your IT staff spends on forensic analysis of cyber attacks, gaining clear visibility into network activity, and providing proof of regulatory compliance
Barracuda security engineers work 24/7 to identify threats and create Energize Updates that let our solutions block zero-hour threats in real time
As a single point of contact for cyber security and data protection, Barracuda simplifies procurement and tech support ― without phone trees ― saving time and effort
Most of the Barracuda solutions offer options to setup policies to filter or monitor sensitive information. This spans our security and storage solutions. The fact that all our products are available in multiple form factors (hardware, software, virtual appliance and SaaS) is also a big positive.
What suggestions do you have for agencies adopting BYOD policies?
According to a recent Gartner survey, smartphones are the highest favored devices for employees to use for work, bypassing even laptops.
There are over 1 billion smartphone users worldwide and it is expected that this year there will be 1.3 billion more tablets and smartphones sold. Added to this, an increasing number of organizations are implementing Bring-Your-Own-Device (BYOD) policies
To mitigate potential risks, agencies must make mobile security a part of their overall network security strategy. They should ensure that corporate network policies extend to employee owned devices. They should also implement mechanisms to secure, regulate and monitor access to corporate resources and data from these devices
Organisations can secure their own infrastructures from hackers by installing the NG Firewall where it helps to safeguard network traffic against line outages and link quality degradation
For IT administrators, it is paramount to ensure that employees fully understand the imminent need to secure their personal device when used for work. This is especially important as cyber-attacks on mobile devices are increasing, resulting in data loss, security breaches and compliance/regulatory violations
It should be understood that the advantages of using BYOD far outweighs the disadvantages and therefore there should be a wider acceptance to this policy. This could mean that some of the organizational resources would need to be moved to the internet for easier accessibility. Safety concerns should be addressed with undivided focus.
What kind of mobile device threats are relevant to government?
Government agency and department managers are often mobile, and increasingly need to review proposals, research reports and contracts while they’re offsite. Maintenance crews, investigative teams and other field operations groups also need to integrate mobile technologies into their daily work processes
IT administrators can lose visibility into which devices are accessing corporate system and data. Also, they cannot gather forensic information in case of data breaches from these devices.
Unsafe or unsecure applications that can potentially compromise the security of corporate networks may be present on employee owned devices
These devices are often used on unsecure networks (like public WiFi hotspots) opening the door to malware infections or data leakage
Personal mobile devices are sometimes “jail broken” or “rooted’ by the owners to provide enhanced features and functionality. Unfortunately this opens up more potential risks, beyond the obvious override of the device security, malware can be embedded within the software used to root the phone, or within applications that are installed from unknown or unreliable sources
Personal mobile devices may have unauthorized access to the corporate network or contain sensitive data even after the employee leaves the company or if the device is stolen
Wide use of social applications on these devices makes the users more vulnerable to attacks
As new threats emerge, what do government agencies need to do in order to protect themselves?
Focus on processes, people and technologies. We regularly see that govt agencies have a far sighted vision when it comes to technologies but they fail to adequately train their staff to use these optimally. A mis-configured security solution is not going to solve any problem, no matter how good the product is.
How can governments adopt comprehensive identity management strategies which protect their agency?
Multifactor authentication techniques can be adopted for this challenge. Another avenue would be to focus on federated authentication mechanisms like SAML.
What are the most common compliance conflicts that governments face when trying to shift to the cloud?
Government processes have historically been paper-centric but the potential benefits of electronic document sharing are enormous. In a climate where public safety and privacy are under constant scrutiny, however, data security is non-negotiable.
Having said that, government agencies need to understand how to stay in compliance even when they shift their data to the cloud.
There are four ways to ensure regulatory compliance. The first is to be aware of new challenges the cloud may add to your IT workload. Next, regardless of your company's size or status, don't assume your cloud vendor's standard terms and conditions will fit your requirements. Start your due diligence by examining the vendor's contract. Thirdly, to best understand your potential risk, as well as your benefits, you should bring your security team into the conversation at the earliest possible opportunity. And lastly, know that your decisions about what applications to move to the cloud and when to move them will benefit from an understanding of new and/or modified standards that are now evolving for cloud computing.
The deterrence to the cloud is mainly due to the apprehension that the data is not in the organisation’s control. However, public cloud vendors are continuing to invest in data centres dedicated for govt organisations. So the time is ripe to have a serious look at cloud migrations.