Security beyond the firewall

mobile device

Security is as important beyond an organization's firewall as within it. (Stock image)

Earlier this year, as President Barack Obama moved to establish a national cybersecurity framework and the Pentagon announced a fivefold increase in its cybersecurity force, a new report from Deloitte identified a growing vulnerability for data: insecure passwords, particularly on mobile devices.

Securing information and systems behind a firewall is insufficient in a world in which vital data is routinely stored on mobile devices and transmitted beyond that barrier.

For Deloitte’s Technology, Media and Telecommunications Predictions 2013 report, one-quarter of all people surveyed said they use less secure passwords on their tablet PCs and smart phones because of the difficulty of typing passwords into handheld equipment. Passwords for laptop PCs also face glaring risks. The same Deloitte report said a study of 6 million user passwords found that 10,000 of the most common passwords would have accessed 98 percent of all accounts.

The vulnerabilities grow even more intense when organizations implement bring-your-own-device policies that allow employees to use personally owned portable devices to connect to enterprise networks and store critical data. Although BYOD can generate enterprise savings, the practice greatly increases the attack surface that adversaries can target and thus increases the risk of a successful intrusion, theft or breach of data.

Given the high cost of data breaches, successful attacks will quickly wipe out any savings from BYOD. In fact, organizations surveyed by the Ponemon Institute reported an average of two successful cyberattacks per week. The annualized average cost of those cyber crimes was almost $9 million for each company.

Clearly, best-practice security solutions must be extended beyond hardened IT perimeters. Authentication methods that require verification beyond passwords are a partial solution. Yet even new layers of authentication are vulnerable due to the ever-increasing sophistication of malicious actors.

To accommodate surging mobility and data communications, sensitive data should be encrypted on each device so that information is protected in all locations and situations. Device-level encryption secures data whether it is being stored or transmitted via email and attachments.

Securing information and systems behind a firewall is insufficient in a world in which vital data is routinely stored on mobile devices.

Digital communications should be further safeguarded by incorporating advanced digital rights management. The addition of DRM lets an agency control what designated recipients can do with the sent information — whether they can print it or share it, and for how long. One can even cancel the recipient’s ability to read the data at any time, even when it is stored on the recipient’s device. The latter capability protects data in the event that a device is lost or stolen or when employees leave the organization and must have their access to company information rescinded.

At the National Security Agency, I led an organization of several thousand security professionals who spent their days analyzing technology and products to understand their vulnerabilities and develop countermeasures to deter, detect and respond to Internet-based threats. Our focus was the federal systems of the national security community, but many of the solutions apply to all the systems that make up the interconnected global network. Every agency and even small enterprises can successfully harden their environments against Internet-based threats.

Organizations can reach a new level of best security practices by combining device-level encryption and advanced DRM. Such implementations can be incorporated seamlessly within existing IT infrastructure and policies, with no disruption to employees’ workflow. Without that combination, vital information — including sensitive constituent information and trade secrets — is vulnerable, and your organization will be at risk because you have no control of the data once it passes beyond your firewalls.

About the Author

Richard C. Schaeffer Jr. is chief security adviser at Encryptics, a provider of data privacy and protection services for business and government.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.


  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group