If you can't trust high-ranking government officials to practice basic information security, who can you trust?...
A recent report from the State Department's Office of Inspector General may have been sparked off by a recent email server scandal, but it also documents how other government employees have skimped on the protection of sensitive information. Organizations in both the government and private sector can draw lessons from these cybersecurity problems.
The core problem pointed out by this scandal is the official use of third-party IT systems. Gone are the days when the control of enterprise technology was concentrated in the hands of those who controlled access to mainframes and servers. Now cloud and mobile computing open up virtually limitless possibilities to any employee. The U.S. government may have egg on its face as a result of the OIG report, but the lessons learned apply to all enterprises and organizations. Private companies also face cybersecurity problems and risks associated with the use of unsanctioned software and technology services.
Maintaining management control
One of the core findings in the OIG report is that the State Department exhibited a lack of management control. The federal government requires that government agencies exercise proper control over the information systems they use and the records they maintain. Yet, as the Government Accountability Office previously found in 2010, many government agencies fail to provide the necessary oversight. Worse, their file and archiving systems are still often aligned to paper-based records, making it extremely difficult to effectively manage emails and other electronic information.
Public and private organizations must develop appropriate systems that allow them to maintain effective control of the information they store, process and transmit. This includes electronic record keeping and archiving systems that provide centralized tracking and storage management. While private organizations do not normally need to comply with federal records management regulations, they must be prepared to produce relevant emails in the event of litigation-related electronic discovery efforts. In the case of email, organizations of all types should have archiving and search mechanisms in place that support long-term preservation and discovery requirements.
Controlling the consumerization of IT
The increasing consumerization of IT is a challenge to centralized control and management of information. As employees explore mobile apps and cloud services in their private lives, they assume they can then use them in the workplace. As employees adopt these technologies, organization information gets stored in unmanaged, unsearchable and unprotected locations -- unless the organization takes suitable precautions against these cybersecurity problems.
Private organizations can draw lessons from the experience of government agencies' cybersecurity problems. Enterprise data governance officials need to know where their information is stored and contain that information appropriately. A move to cloud computing may be inevitable, but it can be properly managed. Enterprises must learn how to conduct cloud security reviews, ensure the right security controls are in place, and avoid infringement of the ownership of their information. For instance, organizations should verify that contract language does not grant the cloud service provider any rights to intellectual property produced or stored using the service.
Through the right combination of employee education and technology, enterprises can reap the benefits of consumerization of IT, while minimizing cybersecurity problems and risks. Employees must be made aware that any cloud service needs to be vetted for security and legal compliance, and cannot be adopted simply because it promises to make life easier. Data loss prevention technology lets enterprises monitor the flows of information, alerting administrators to abnormal or suspicious events.
While not many of us will wind up administering secret email servers for government officials, we can still draw lessons from the State Department's recent experience. Enterprises must retain management control of sensitive information and take steps to ensure that the adoption of cloud services takes place in an orderly and secure fashion.
Find out if cybersecurity spending can protect the U.S. government
Discover the benefits of cloud DLP for enterprises
Learn why a federal CISO can help U.S. government cybersecurity