Security beyond the firewall

mobile device

Security is as important beyond an organization's firewall as within it. (Stock image)

Earlier this year, as President Barack Obama moved to establish a national cybersecurity framework and the Pentagon announced a fivefold increase in its cybersecurity force, a new report from Deloitte identified a growing vulnerability for data: insecure passwords, particularly on mobile devices.

Securing information and systems behind a firewall is insufficient in a world in which vital data is routinely stored on mobile devices and transmitted beyond that barrier.

For Deloitte’s Technology, Media and Telecommunications Predictions 2013 report, one-quarter of all people surveyed said they use less secure passwords on their tablet PCs and smart phones because of the difficulty of typing passwords into handheld equipment. Passwords for laptop PCs also face glaring risks. The same Deloitte report said a study of 6 million user passwords found that 10,000 of the most common passwords would have accessed 98 percent of all accounts.

The vulnerabilities grow even more intense when organizations implement bring-your-own-device policies that allow employees to use personally owned portable devices to connect to enterprise networks and store critical data. Although BYOD can generate enterprise savings, the practice greatly increases the attack surface that adversaries can target and thus increases the risk of a successful intrusion, theft or breach of data.

Given the high cost of data breaches, successful attacks will quickly wipe out any savings from BYOD. In fact, organizations surveyed by the Ponemon Institute reported an average of two successful cyberattacks per week. The annualized average cost of those cyber crimes was almost $9 million for each company.

Clearly, best-practice security solutions must be extended beyond hardened IT perimeters. Authentication methods that require verification beyond passwords are a partial solution. Yet even new layers of authentication are vulnerable due to the ever-increasing sophistication of malicious actors.

To accommodate surging mobility and data communications, sensitive data should be encrypted on each device so that information is protected in all locations and situations. Device-level encryption secures data whether it is being stored or transmitted via email and attachments.

Securing information and systems behind a firewall is insufficient in a world in which vital data is routinely stored on mobile devices.

Digital communications should be further safeguarded by incorporating advanced digital rights management. The addition of DRM lets an agency control what designated recipients can do with the sent information — whether they can print it or share it, and for how long. One can even cancel the recipient’s ability to read the data at any time, even when it is stored on the recipient’s device. The latter capability protects data in the event that a device is lost or stolen or when employees leave the organization and must have their access to company information rescinded.

At the National Security Agency, I led an organization of several thousand security professionals who spent their days analyzing technology and products to understand their vulnerabilities and develop countermeasures to deter, detect and respond to Internet-based threats. Our focus was the federal systems of the national security community, but many of the solutions apply to all the systems that make up the interconnected global network. Every agency and even small enterprises can successfully harden their environments against Internet-based threats.

Organizations can reach a new level of best security practices by combining device-level encryption and advanced DRM. Such implementations can be incorporated seamlessly within existing IT infrastructure and policies, with no disruption to employees’ workflow. Without that combination, vital information — including sensitive constituent information and trade secrets — is vulnerable, and your organization will be at risk because you have no control of the data once it passes beyond your firewalls.

About the Author

Richard C. Schaeffer Jr. is chief security adviser at Encryptics, a provider of data privacy and protection services for business and government.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • Social network, census

    5 predictions for federal IT in 2017

    As the Trump team takes control, here's what the tech community can expect.

  • Rep. Gerald Connolly

    Connolly warns on workforce changes

    The ranking member of the House Oversight Committee's Government Operations panel warns that Congress will look to legislate changes to the federal workforce.

  • President Donald J. Trump delivers his inaugural address

    How will Trump lead on tech?

    The businessman turned reality star turned U.S. president clearly has mastered Twitter, but what will his administration mean for broader technology issues?

  • moving ahead

    The bid to establish a single login for accessing government services is moving again on the last full day of the Obama presidency.

  • Shutterstock image (by Jirsak): customer care, relationship management, and leadership concept.

    Obama wraps up security clearance reforms

    In a last-minute executive order, President Obama institutes structural reforms to the security clearance process designed to create a more unified system across government agencies.

  • Shutterstock image: breached lock.

    What cyber can learn from counterterrorism

    The U.S. has to look at its experience in developing post-9/11 counterterrorism policies to inform efforts to formalize cybersecurity policies, says a senior official.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group