New revelations by the GAO of federal security incidents provide further evidence, as if we needed it, that traditional security approaches on their own are no match against today’s sophisticated attacks on agency networks. The rising tide of breaches points to an urgent need for agencies to move to a data-centric model for protecting personally identifiable information (PII) and other sensitive data.
The reasons are laid out in a Vormetric blog post by Andy Kicklighter, Director of Product Marketing for Vormetric. Among his key insights, Andy says:
Taking a data-centric model and applying it across the board to sensitive data in both existing IT environments and areas such as cloud and big data can actually save our Federal agencies money.
Proper protection placed directly around where data-at-rest is stored limits who, when, where and how data is accessed, and then can make sure that accounts that should have access aren’t compromised.
Rather than maintain the status quo, organizations should change focus to add data-centric security to the mix (encryption, access controls and data access monitoring/analysis).
The GAO study cited in Andy’s blog reported that the number of federal security incidents involving PII increased 2.5 times between 2009 and 2013. Andy offers three key reasons why he expects this trend among federal agencies to continue:
- Lack of real penalties—in contrast, commercial entities in many states are subject to strict reporting requirements, remediation standards, and possible penalties.
- Inertia in IT Security investments—federal investment is not keeping pace with fast-changing cyber threats.
- Standards that drive only minimum behavior—federal standards such as the US Cybersecurity Framework only “encourage” the right behavior, while other standards provide excellent “high level” guidance but are often short of specificity about what needs to be done.
Despite these challenges, Andy says that a move to data-centric security can help agencies stem the rise in data breaches and take full advantage of the cost-effectiveness, agility and new functionality available from today’s cyber tools, such as encryption, data access monitoring and analysis, and access controls.
Stay tuned for more cybersecurity and risk management insights from Vormetric on the Cyber Attack Defenders blog.
In the meantime, you can read the full Vormetric blog post here.