Higher Stakes In OPSEC As COVID-19 Disrupts Everything
By: Shrey Fadia
Originally published on Pandemic Tech News
Wars are rarely won because of individual heroics, but by teams of people working efficiently together. Today, we find ourselves at war with the coronavirus – a global pandemic of epic proportions. Cybersecurity is essential in military operations, and the U.S. Government and other governments around the world are shining a brighter spotlight on the need to protect vital systems and sensitive information, including intellectual property regarding the development of treatments and future vaccines.
Teamwork makes the dream work, but with COVID-19, teamwork is different and less controlled than it can be in physically unified environments, with digitally solid perimeters. When workers are at home, they are safer physically, but not digitally. When it comes to government workers, given nation-state attacks, it is mission-critical to ensure access to systems, networks, datasets, and applications is tightly controlled, and the only way to do that is with advanced software and automation.
We caught up with Michael Fritzlo, Executive Chairman of Ironsphere, a company offering Privileged Access Management solutions, working with companies including Pega Systems, to support large global enterprises, service providers, and organizations.
“The global pandemic strikes at the heart of teamwork, but we cannot allow it to negate the power of working together, especially at this time.” Said Michael Fritzlo, Executive Chairman, Ironsphere
“While government and military agencies are of the utmost importance, the OPSEC principles established by top commanders with the rise of digital systems over the last several decades also apply to financial service institutions, healthcare providers, insurance companies, and more,” Fritzlo said.
Operations Security (OPSEC) is a discipline of military origins that, in the computer age, has become vital for the government and private organizations alike, and leading CSOs now include OPSEC as part of their comprehensive risk management cybersecurity postures. OPSEC is a proven process used by organizations to assess and protect data that could if properly analyzed and grouped with other data by an adversary, reveal a bigger picture that ought to stay hidden.
“We’ve advanced the art and science of OPSEC since it was first established during the Vietnam war,” Fritzlo said. “The definition continues to evolve and depends on each agency or enterprise’s mission and offering, but given the massive growth of cyberattacks, OPSEC is impossible to do well without software automation and AI. We work with very large and complex organizations, with the top security executives in the world, and are helping them replace manual systems with automated systems, including Privileged Task Automation. They need real-time capabilities, while also needing the ability to capture and review trends and reduce the friction and cost of audits as regulations understandably tighten.”
Since the early days, the OPSEC concept spread from the military to other U.S. government departments and into private industry.
The U.S. Department of Energy, which is in charge of the U.S. nuclear arsenal, has its own definition of OPSEC:
“Operations security involves a process of determining unclassified or controlled critical information that may be an indicator or pathway to that classified information requiring protection, whether for a limited or prolonged time … the purpose of OPSEC is to identify, control, and protect sensitive unclassified information about a mission, operation, or activity and to deny or mitigate an adversary’s ability to compromise that mission, operation, or activity.”
“OPSEC failures at the corporate level may not put national security at risk, but they are still catastrophic for the companies involved,” Fritzlo said. “And given the advancement of public-private partnerships, and the sharing of data using APIs between various systems, we all benefit from working together across government, military, financial, and now especially healthcare industries, given how interconnected they are. Consider, for example, the massive fraud underway with unemployment insurance claims; this requires a partnership between state agencies, federal guidelines, banks, and technology companies to solve. So, in fact, a weak financial or hospital system is a national security threat.”
Fritzlo cited studies showing that more than half of the incidents are caused internally, either unintentionally, but more often intentionally, by disgruntled employees and third-party contractors.
“Without a Privileged Access Management platform in place, risks skyrocket,” Fritzlo said. “We have been working harder than ever to bring capabilities in, to automate and reduce risk in a cost-effective manner. We also have to stand up solutions quickly – in a week or less – as these risks are so real given the work-from-home mandates and other complications that are defining new ways to work in 2020 and beyond.” As we emerge from this crisis, we will have the opportunity to analyze what happened and understand how we can improve in the future. But given the “state of emergency” we find ourselves in globally, Fritzlo says, “We can no longer look at OPSEC as something that would be nice to do – we must have full OPSEC measures and technologies in place now, as there is so much at stake, including lives.”
Weak passwords have long been the Achilles heel of IT teams, and despite all the best intentions, corporate policies, education, and workarounds, passwords aren’t going away any time soon. There is some buzz around password-less access, but there are good arguments to suggest that passwords should play a fundamental role in authenticating access.read more
Securing Increasingly Decentralized Corporate Environments in 2021: Changes and Challenges for Access Management
It is understandable that many IT leaders are solid fans of the centralized approach to cybersecurity, arguing that it allows companies to better assess and manage their risks by being able to control every application, device and access privilege, by user.read more
The debate on centralized vs. decentralized IT has been going on for decades, and there are solid arguments for both choices. The rise of the cloud changed everything, and today “shadow IT” continues to challenge CIOs and CISOs who are charged with protecting the assets of their organizations while also not restricting the number of productivity tools available which employees and contractors continue to find and use rather than using “official” applications.read more