Recently we published an article on Government Technology Insider about how the Department of Education is strengthening its cyber posture through collaboration and cyber education. As well as being about the federal agency that oversees educational institutions across the country, the strategies being used by the agency to secure student data, health records, and financial institutions are highly relevant to colleges, universities, and K-12 districts. So, here are some best practices and excellent insight on how to strengthen cyber defenses through collaboration that you might want to consider as your organization plans for the coming academic year.
Cybersecurity remains a constant battle for the public sector. With the rise of due to the current environment, security is top of mind for federal agencies. Government organizations house personally identifiable information (PII) that, if leaked, can put citizens and the trust they have for these organizations at risk. To stave off bad actors, the public sector is taking a proactive stance to protect the digital landscape. For the Department of Education and NASA, navigating the risks that accompany public sector operations can be minimized through education and collaboration.
“We believe very deeply, at the core, that the platforms that win in the end are those that are differentiated by solutions—some of them delivered by the cloud providers, others by an ecosystem around them—and we’re very, very committed to our partners,” said Google Cloud CEO Thomas Kurian in a recent interview.
Department of Education
The Department of Education is responsible for countless transactions with student loans, student records, and grant records. Steven Hernandez, the Department of Education’s chief information security officer (CISO) explained the mission is to protect student data. “When we look at Federal Student Aid, we have a $1.5 trillion portfolio in terms of accounts receivable. We issue hundreds of billions of dollars in educational funding and grants every single year and maintain the risk of that portfolio,” he said.
Those data points create vulnerabilities, but not a clear “data lake” that can be inspected by the Department – which makes cybersecurity a challenge, he explained. Hernandez also shared that bad actors usually look for “the loosest link in the chain” and for his department, that’s end users. “Right around 90 percent of the successful attacks we see, especially from a threat intelligence perspective, are coming in through phishing,” said Hernandez.
Through phishing exercises and stronger cyber tools, the Department of Education was able to cut down on phishing emails considerably. “During our last phishing exercise in which we targeted about 6,000 accounts, we had five people actually click the link and take the bait,” he said. “Two years ago, that would have been as high as about 20 percent of our organization.”
“When we start to blend the idea of front-end technologies, training and security awareness, ‘live fire’ testing and training with our phishing exercises, and that executive support messaging, we see a drive towards positive change,” concluded Hernandez.
Mike Witt, chief information officer (CIO) with NASA sees the role of a CIO as someone who “understands what our risks are, what the missions are trying to do and how we can help things succeed and take risks, but also to protect the rest of our enterprise and the rest of our missions if one of the missions is going to take on a significant amount of cyber risk.”
For NASA, and Witt, security is about strategic decisions, risk management, and collaboration. NASA participates in a program where security professionals gain experience at other agencies and can share analytics tools and insights. “We have our personnel that work in security operations work at another agency for a week or two, and then vice versa, we bring that security analyst to our environment,” he explained. “It gives the other agency a perspective that they do not have otherwise, and you start building trust amongst the operational employees.”
This collaborative approach among CIOs could help other agencies on the cybersecurity journey. “[The CIO’s role is to] help things succeed and take risks, but also to protect the rest of our enterprise,” shared Witt.
Like the Department of Education and NASA, many government agencies are challenged by insider threats and siloed data. With collaboration and training, cyber leaders can prepare their workforce to take on bad actors. To keep the nation, and its data safe, agencies and the private sector must work together to prevent threats.
“Our strategy for cloud is quite simple,” Kurian said. “In every industry, we see customers wanting to adopt digital technology either to lower cost, grow their top-line revenues or change … how they bring products in certain markets, and we at Google are using our cloud platform as a vehicle to deliver digital solutions to them.”