Defence Online: Combating the Threats That Exist Amongst Your Own Personnel
Author: Justin Dolly, Chief Security Officer of SecureAuth
When it comes to military and defence organisations today, one of the largest cyber security concerns is not actual attacks (although those are still important and prevalent), but rather data leaks.
Insider threats and personal devices are two of the biggest causes of data leakage and one of the fastest threats to defences today as more and more devices are making it into sensitive areas. Last year, the fitness app Strava, inadvertently exposed sensitive data about exercise routes shared online by soldiers, which could be extrapolated to pinpoint overseas facilities. With this information out in the open and out of the military's control, defence organisations began clamping down on troops' use of fitness trackers and apps, and further prohibited the use of GPS features on any government or private gear.
This exemplifies how the rapid development of new and innovative information technologies bring new challenges to operational security and force protection. It’s crucial for military defence teams to stay on top of these challenges and continue to refine policies and procedures; otherwise, this could put individual members of the military at risk, even when they are not in combat zones.
Identifying the weakest link
As with most things in life, you’re only as strong as your weakest link and in any organisation, it’s people. The best firewalls can be defeated by a simple phishing email and flat networks enable intruders to easily perform lateral movement across an environment with relative ease. New devices and applications can be difficult to keep off the corporate network which can introduce a slew of new threat vectors, all the while causing frustration amongst the IT teams that support these networks.
Therefore, it’s vital for military officials to control access and develop enhanced policies for use or access to their data and networks. So how do you achieve this? Through the implementation of multiple pre-authentication or adaptive authentication techniques without introducing unnecessary friction for the users. Combining strong security with adaptive authentication allows authorised parties to access what they need quickly and easily, while simultaneously keeping malicious and suspicious actors out of the network and systems.
Education, Education, Education, and Secure Access Control
A critical component of improving any security program is education. As pointed out with the Strava example, a data breach occurs when one or more individuals can read data they are not authorised to access. And it is often because of human errors like this that allow cybercriminals to gain access to sensitive material.
Internal user training can help educate employees and personnel on how to enable secure access control, what threats to look out for and how to report anything suspicious. Therefore, security awareness training should be acknowledged as one of the critical components of a robust security program. Being armed with the knowledge and skills to protect themselves and their organisations, will help prepare employees for the range of security threats they’ll face; whether from an external cyberattack or from their own use of technology or access to data.
Military organisations shouldn’t neglect their own responsibility to deploy the most secure authentication strategies to mitigate their exposure to cyberattacks. They need to carefully examine how they manage their identity security and address how to differentiate legitimate users from illegitimate ones. Rather than handing over the keys to the very lucrative kingdom, a comprehensive strategy should work to determine if a login attempt is from a legitimate user or from an attacker using stolen credentials.
Prevention is better than breach
With identity and credential exposure accounting for many high-profile data breaches, prevention is the best protection. Internal training and awareness, and deploying secure access controls dramatically improves organisations’ defences and prevent future cyberattacks.
The best approach ensures the desired level of security without hindering the user experience. Care should be taken to avoid putting users though complex security measures which can cause user frustration, have a negative impact on productivity, as well as result in a financial burden to the organisation. The most efficient approaches to security and usability leverage modern techniques that fit both the culture and the needs of the organisation and bring together identity and security. When dealing with critical and highly sensitive information, as defence organisations undoubtedly do, the right security approach is to focus on the programmes that will help secure their weakest link… people.
This article originally appeared on Defence Online on June 25th 2019