Dr. Larry Ponemon and Tenable’s Stephen Smith discuss the cybersecurity challenges revealed in a recent study of cybersecurity in the public sector, and provide three tips for closing the Cyber Exposure gap.
It’s not easy to be a cybersecurity professional in the public sector these days.
While government agencies each face many of the same daily security risks as their private sector counterparts, public sector organizations have a unique set of challenges when it comes to cybersecurity. Among the issues facing public sector organizations are:
- Lack of visibility into the entire attack surface
- Limited technical resources and support
- Heavy reliance on manual processes to close the Cyber Exposure gap
Stephen Smith, Tenable’s Manager of State and Local Business Development, discussed these and other public sector cybersecurity challenges in a recent Tenable webinar featuring Dr. Larry Ponemon, Chairman and Founder of Ponemon Institute.
During the webinar, the pair explored the findings outlined in the report, “Cybersecurity in Public Sector.” Commissioned by Tenable, the report was developed by Ponemon Institute, based on survey responses from 244 public sector infosec professionals from the United States, United Kingdom, Germany, Australia, Mexico and Japan. It highlights five key takeaways for public sector CISOs and their cybersecurity teams:
- Cyberattacks in the public sector are relentless.
- Preventing attacks against IoT and operational technology (OT) infrastructure is a top priority for 2019.
- Public sector cybersecurity teams face fundamental challenges managing cyber risk.
- To help mitigate cyberattacks, new approaches for measuring cyber risks are needed.
- Smarter prioritization of vulnerabilities is key to staying ahead of cyberattackers.
Cybersecurity Priorities in the Public Sector
Smith and Ponemon delved into the details on each of these five critical points and discussed what they reveal about the current state of cybersecurity in the public sector.
Cyberattacks in the public sector are relentless
The vast majority of organizations surveyed for the Ponemon report (88 percent) said they have sustained at least one damaging cyberattack over the last two years. In fact, 62 percent of respondents reported their agencies have sustained two or more damaging cyberattacks in the last 24 months. Many of the incidents have caused data breaches resulting in disruption and downtime, including the loss of day-to-day operations and equipment malfunctions.
Preventing attacks against IoT and OT infrastructure is a top priority for 2019
Nearly two thirds of respondents (65 percent) said they are most concerned about the possibility of attacks involving IoT or OT assets this year. As in the private sector, public sector cybersecurity professionals are now taking more responsibility for OT security as well as IT security, which means they are responsible for an ever-expanding attack surface.
Another 61 percent of respondents said they are worried about the downtime to plants or equipment that would result from an attack against OT infrastructure.
A third of respondents (33 percent) are also concerned about the possibility of an employee falling for a phishing email. This concern is understandable, given that 56 respondents reported at least one such incident resulting in credential theft during the previous two years.
Despite the fact that phishing remains a top concern, Smith said public sector CISOs have made great strides in actually reducing the number of phishing attacks within their organizations. “We get a chance to...talk to a lot of public sector organizations and we participate in several councils, including one with the National Governors Association, and this topic was a significant topic in all of those conversations last year,” said Smith. “Now, what you are starting to see is organizations actually taking pride in the degree which they have reduced successful phishing attacks in their organizations.”
Public sector cybersecurity teams face fundamental challenges managing cyber risk
Only 23 percent of survey respondents report having sufficient visibility into their organization’s attack surface. This should come as no surprise, since 62 percent of respondents also say they lack adequate staffing to scan for vulnerabilities in a timely manner.
New approaches for measuring and mitigating cyber risks are needed
The Ponemon data make clear that traditional key performance indicators (KPIs) are not adequate to provide an accurate picture of the cyber risks facing public sector organizations today. In fact, only 40 percent of respondents said they even attempt to quantify the impact that common cybersecurity incidents could have on their organizations.
And even if they could improve their ability to measure business impact, there’s little consensus on what, exactly, they would choose to measure. Of those respondents who are currently attempting to quantify business impact, 50 percent attempt to quantify the cost of OT-system downtime. The frequency of unpatched — but known — vulnerabilities is tracked by 46 percent of these respondents.
Smarter prioritization of vulnerabilities is key to staying ahead of cyberattackers
Nearly a third (63 percent) of respondents report wanting to improve their ability to keep up with the sophistication and stealth of attackers. However, 44 percent say they currently prioritize threats based on the ease of remediation. A better way for CISOs to prioritize, according to the data, is to take a harder look at those threats that pose the greatest risk. Not all vulnerabilities need to be patched right away if they don’t present an immediate threat to the network.
Closing the Cyber Exposure gap to strengthen public sector cybersecurity
What Smith suggested, and what the Ponemon research supports, is a holistic approach to public sector security so that CISOs and their organizations can prioritize their needs at a time when adding more people and more resources is not possible.
Smith and Ponemon offered three tips public sector cybersecurity professionals can use to help close their Cyber Exposure gaps:
- Look for ways to improve your vulnerability prioritization. Tenable researchers reported over 16,500 were disclosed in 2018 — most of which were high or critical severity. Yet, only a small fraction of those vulnerabilities are being actively exploited. By using new technology and techniques, e.g.,data science and machine learning, public sector cybersecurity pros can more effectively prioritize vulnerability remediation to focus on those vulns posing the greatest risk of exploitation.
- Make use of passive monitoring, especially for OT assets. While most organizations and their security teams would like to actively scan their entire environment, when it comes to OT, they’re deterred from doing so because active scanning can cause service interruptions by knocking business-critical systems offline. Instead, Smith recommended passive monitoring, which provides much-needed visibility into OT environments without disrupting sensitive systems.
- Implement continuous asset discovery and vulnerability assessment. Adding or removing computing assets can change overall security posture. Since remediation must often occur during small windows of downtime, the most complete and current data regarding vulnerabilities and their predicted risks is critical, which is why Tenable recommends making continuous monitoring a top priority.
- Download the webinar Cybersecurity in the Public Sector — 5 Insights You Need to Know
- Read the Ponemon report Cybersecurity in the Public Sector: 5 Insights You Need to Know
- Download the eBook 3 Things You Need to Know About Prioritizing Vulnerabilities