Security beyond the firewall

mobile device

Security is as important beyond an organization's firewall as within it. (Stock image)

Earlier this year, as President Barack Obama moved to establish a national cybersecurity framework and the Pentagon announced a fivefold increase in its cybersecurity force, a new report from Deloitte identified a growing vulnerability for data: insecure passwords, particularly on mobile devices.

Securing information and systems behind a firewall is insufficient in a world in which vital data is routinely stored on mobile devices and transmitted beyond that barrier.

For Deloitte’s Technology, Media and Telecommunications Predictions 2013 report, one-quarter of all people surveyed said they use less secure passwords on their tablet PCs and smart phones because of the difficulty of typing passwords into handheld equipment. Passwords for laptop PCs also face glaring risks. The same Deloitte report said a study of 6 million user passwords found that 10,000 of the most common passwords would have accessed 98 percent of all accounts.

The vulnerabilities grow even more intense when organizations implement bring-your-own-device policies that allow employees to use personally owned portable devices to connect to enterprise networks and store critical data. Although BYOD can generate enterprise savings, the practice greatly increases the attack surface that adversaries can target and thus increases the risk of a successful intrusion, theft or breach of data.

Given the high cost of data breaches, successful attacks will quickly wipe out any savings from BYOD. In fact, organizations surveyed by the Ponemon Institute reported an average of two successful cyberattacks per week. The annualized average cost of those cyber crimes was almost $9 million for each company.

Clearly, best-practice security solutions must be extended beyond hardened IT perimeters. Authentication methods that require verification beyond passwords are a partial solution. Yet even new layers of authentication are vulnerable due to the ever-increasing sophistication of malicious actors.

To accommodate surging mobility and data communications, sensitive data should be encrypted on each device so that information is protected in all locations and situations. Device-level encryption secures data whether it is being stored or transmitted via email and attachments.

Securing information and systems behind a firewall is insufficient in a world in which vital data is routinely stored on mobile devices.

Digital communications should be further safeguarded by incorporating advanced digital rights management. The addition of DRM lets an agency control what designated recipients can do with the sent information — whether they can print it or share it, and for how long. One can even cancel the recipient’s ability to read the data at any time, even when it is stored on the recipient’s device. The latter capability protects data in the event that a device is lost or stolen or when employees leave the organization and must have their access to company information rescinded.

At the National Security Agency, I led an organization of several thousand security professionals who spent their days analyzing technology and products to understand their vulnerabilities and develop countermeasures to deter, detect and respond to Internet-based threats. Our focus was the federal systems of the national security community, but many of the solutions apply to all the systems that make up the interconnected global network. Every agency and even small enterprises can successfully harden their environments against Internet-based threats.

Organizations can reach a new level of best security practices by combining device-level encryption and advanced DRM. Such implementations can be incorporated seamlessly within existing IT infrastructure and policies, with no disruption to employees’ workflow. Without that combination, vital information — including sensitive constituent information and trade secrets — is vulnerable, and your organization will be at risk because you have no control of the data once it passes beyond your firewalls.

About the Author

Richard C. Schaeffer Jr. is chief security adviser at Encryptics, a provider of data privacy and protection services for business and government.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group