Dec 22 2017

Security Strategies That Tighten Systems Without Breaking the Budget

User education, patch management and more low-cost ways to bring better security.

For IT managers, information security demands ceaseless vigilance. That means never letting down and constantly finding ways to shore up the defenses standing between agencies and criminals on the other side.

Sometimes, this requires deploying sophisticated tools that offer the latest technology to block attacks or quickly detect hacks once they happen. But it can also encompass finding creative, low-cost ways to increase protection.

A comprehensive security strategy makes use of all available methods to counter hackers ready to pounce on the weak links in government networks. With that in mind, here are some ideas that can fortify IT security while going light on the budget.

Forge Security Smart Users

Human error remains one of the major causes of security breakdowns, and even small breaches come with high cleanup costs. Phishing attacks are at the root of 90 percent of all data breaches and security incidents, according to Verizon’s 2017 Data Breach Investigations Report.

Education can counter that fallibility without significant expense. A successful training program should include two key elements: constant change and multichannel approaches.

Hackers frequently alter their methods of attack and malware types, so training must employ a variety of techniques to match the evolving threats. Similarly, keeping people engaged requires understanding that what works for some users will not benefit others. Blanketing everyone with a short monthly newsletter is a great idea and easy to do, but probably won’t catch the entire target audience.

Other education tools can widen outreach. For example, an anti-malware system logs each time it detects and blocks or cleans a virus. IT personnel can use those logs to create a list of users to visit in person each month. People who get viruses often are engaging in risky behavior, such as visiting nonwork websites or opening suspicious attachments (this is not always the case, so the tone of these visits should be respectful).

IT staff can also review logs for URL filtering, data loss prevention, intrusion detection and intrusion prevention systems to identify those who need further training.

Phishing exercises will show users the dangers of clicking on the wrong link or attachment. Commercial and open-source products and services can help launch and manage a self-phishing campaign. IT teams can mine the data generated by these exercises to organize more one-on-one sessions with users, or handle the entire cycle online by taking phished users to a website that explains the clues they missed.

Harden Government Software and Systems

Reviewing and hardening system security configurations for vulnerabilities — especially for older systems — does not always require a large financial investment. Costs will depend on particular platforms and products, but this can quickly improve information security.

Attackers often gain access not just because of an old bug, but because of a combination of a bug and a poor configuration that together create a vulnerability. They use a simple strategy: gain access through the weakest system, escalate privileges and then move laterally to leverage attacks on other systems, taking advantage of trust relationships between systems and applications.

Given that threat, patching 90 percent of systems is not good enough, because the entire chain of trust is only as strong as the weakest link. Eliminating trust between systems to block lateral movement is a long-term and expensive strategy, while finding and fixing vulnerable links is a low-cost tactic.

IT teams should automate this process to the fullest extent possible with built-in automatic and semi-automatic patching services. Configuration guides from software vendors and independent sources, such as the Center for Internet Security (, can also help harden and secure systems.

Tighten Citizen Data Protections

Information security is not just keeping attackers at bay; it also requires trying to protect data from all potential problems. Government IT professionals appreciate that mandate: 96 percent of public sector employees ranked recovery of data in case of outage or disaster as important or very important to their agencies, according to a survey by GovLoop and Rubrik, a cloud data management company.

Backups are decidedly old school, but they also are relatively inexpensive to perform — and they counter ransomware, which is on the rise. A ransomware attack may require a system wipe to resolve, but if an IT team backs up data continually, then the malware can do little damage.


Backups no longer involve putting tapes in drives and letting system operators run jobs in the middle of the night. Modern backup strategies are automated, use disk-to-disk or disk-to-cloud storage, and are designed to match recovery time objectives and recovery point objectives.

Disk encryption offers another inexpensive way to increase data protection and system security. Device loss and theft — serious problems with an increasingly mobile workforce and smaller devices — are less of an issue when disks are encrypted, and implementing whole disk encryption is now built-in to all major client platforms. It doesn’t get any cheaper than that.

L.J. Davids

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT