Security beyond the firewall

Earlier this year, as President Barack Obama moved to establish a national cybersecurity framework and the Pentagon announced a fivefold increase in its cybersecurity force, a new report from Deloitte identified a growing vulnerability for data: insecure passwords, particularly on mobile devices.

Securing information and systems behind a firewall is insufficient in a world in which vital data is routinely stored on mobile devices and transmitted beyond that barrier.

For Deloitte’s Technology, Media and Telecommunications Predictions 2013 report, one-quarter of all people surveyed said they use less secure passwords on their tablet PCs and smart phones because of the difficulty of typing passwords into handheld equipment. Passwords for laptop PCs also face glaring risks. The same Deloitte report said a study of 6 million user passwords found that 10,000 of the most common passwords would have accessed 98 percent of all accounts.

The vulnerabilities grow even more intense when organizations implement bring-your-own-device policies that allow employees to use personally owned portable devices to connect to enterprise networks and store critical data. Although BYOD can generate enterprise savings, the practice greatly increases the attack surface that adversaries can target and thus increases the risk of a successful intrusion, theft or breach of data.

Given the high cost of data breaches, successful attacks will quickly wipe out any savings from BYOD. In fact, organizations surveyed by the Ponemon Institute reported an average of two successful cyberattacks per week. The annualized average cost of those cyber crimes was almost $9 million for each company.

Clearly, best-practice security solutions must be extended beyond hardened IT perimeters. Authentication methods that require verification beyond passwords are a partial solution. Yet even new layers of authentication are vulnerable due to the ever-increasing sophistication of malicious actors.

To accommodate surging mobility and data communications, sensitive data should be encrypted on each device so that information is protected in all locations and situations. Device-level encryption secures data whether it is being stored or transmitted via email and attachments.

Securing information and systems behind a firewall is insufficient in a world in which vital data is routinely stored on mobile devices.

Digital communications should be further safeguarded by incorporating advanced digital rights management. The addition of DRM lets an agency control what designated recipients can do with the sent information — whether they can print it or share it, and for how long. One can even cancel the recipient’s ability to read the data at any time, even when it is stored on the recipient’s device. The latter capability protects data in the event that a device is lost or stolen or when employees leave the organization and must have their access to company information rescinded.

At the National Security Agency, I led an organization of several thousand security professionals who spent their days analyzing technology and products to understand their vulnerabilities and develop countermeasures to deter, detect and respond to Internet-based threats. Our focus was the federal systems of the national security community, but many of the solutions apply to all the systems that make up the interconnected global network. Every agency and even small enterprises can successfully harden their environments against Internet-based threats.

Organizations can reach a new level of best security practices by combining device-level encryption and advanced DRM. Such implementations can be incorporated seamlessly within existing IT infrastructure and policies, with no disruption to employees’ workflow. Without that combination, vital information — including sensitive constituent information and trade secrets — is vulnerable, and your organization will be at risk because you have no control of the data once it passes beyond your firewalls.