Last month, the Department of Defense (DoD) released its 2019 Digital Modernization Strategy – a roadmap for updating and streamlining its digital processes and shifting the Department from an “opt in” approach to an enterprise one. The Strategy is ambitious in its scope as the Department seeks to create an “IT architecture that transforms data into actionable information.”
In order to meet its goal, that data must be secure. While DoD will likely never jump on the bring-your-own-device (BYOD) bandwagon (for good reason), as some other federal organizations with less sensitive data to protect have, DoD has embraced a more mobile workforce in recent years. Its hundreds of thousands of commercial mobile devices point to an increasingly critical question: how should the federal government secure data at mobile endpoints and the edge, which is defined as anything outside of traditional data centers? For the government writ large, this includes not only BYOD phones and laptops, but also remote networks and devices that are corporate-owned and personally-enabled (COPE – a term used in the NIST’s recent publication on mobile device security). And for DoD, this also includes systems out in the field and on the tactical edge, like vehicles, ships, and planes.
The good news is federal organizations are taking the question of edge data security seriously. DoD’s Strategy, for one, refers to the need for better mobile endpoint accessibility and security more than a dozen times. The bad news is that too many federal IT leaders and practitioners are missing out on some of the most appropriate, cost-effective solutions.
Results from a recent Acronis SCS and Market Connections survey of 200 federal government IT decision makers, influencers, and implementers (100 from civilian agencies and 100 from defense agencies) not only illuminate a troubling disconnect between decision makers and IT staff responsible for implementing solutions; the results also demonstrate a misunderstanding of what tools, or combination of tools, are needed to adequately protect edge data.
First, the troubling disconnect. According to the survey, 79 percent of senior executives claimed to either be an expert on or know quite a bit about edge security. In contrast, only 29 percent of those in hands-on IT or technical roles said the same. More than 40 percent of senior executives felt “excellent” about their agency’s ability to keep edge data safe and secure, yet only 21 percent and 31 percent of mid-level managers and hands-on staff, respectively, had the same level of confidence. Even more concerning, 11 percent of hands-on staff (the folks one might expect to have the best handle on solutions) said they were “not sure” about their agency’s ability to keep data safe and secure at the edge. More consistent communication amongst the different levels of IT leadership and staff could alleviate this problem of mismatched expectations and understanding, but a larger issue still looms.
Looking at DoD’s Strategy and the survey’s results in tandem, it is clear the government is overlooking a cost-effective, resilient tool for mitigating edge data security woes: a backup and recovery architecture that complements more popular solutions, like secure file sharing, traditional perimeter defense, data encryption, and privilege and identity monitoring. The survey found that only about one-third of respondents saw backup and recovery as integral elements of their edge data security architecture, compared to the 70 percent, 64 percent, and 63 percent who placed primacy on encryption, two-step authentication, and antivirus, respectively. The DoD Strategy does not even mention backup in its discussion of mobile endpoint accessibility and security – in fact, it does not mention backup or recovery at all.
Today, a business suffering from a data breach can lose $100,000 for every hour of downtime, not to mention the additional costs associated with data recovery. In the public sector, a data breach is often harder to measure in dollar amounts – but the impact can be just as, if not even more, severe. The effects can ripple far beyond the organization itself, affecting both citizens and national security. A reliable yet innovative backup and recovery solution, like Acronis SCS’s Backup Advanced with built-in, AI-based anti-ransomware software called Active Protection, can stop data breaches in their tracks, mitigating data loss and savings hundreds of thousands, if not millions, of dollars.
Take the recent ransomware attack on the City of Baltimore, for example. The attack has set back the city an estimated $18.2 million in damages and cleanup. These exorbitant – and entirely unnecessary – costs could have been avoided with a simple backup solution in place that followed the golden 3-2-1 rule: 3 copies of data (1 production and 2 backups) stored on 2 on-site storage medias and in 1 off-site location, like the cloud. If that example is not enough to prove the point, no need to take my word for it – last week, the Cybersecurity and Infrastructure Security Agency, Multi-State Information Sharing and Analysis Center, National Governors Association, and the National Association of State Chief Information Officers released a statement citing backup as the most critical step for safeguarding against ransomware attacks.
Ultimately, DoD’s recent Strategy provides a refreshing roadmap for overcoming the complex obstacles DoD faces modernizing its digital enterprise and staying ahead of the curve. Yet, as the Acronis SCS survey shows, DoD and all federal agencies need to rethink their approach to edge and mobile data security if they truly hope to realize an easy-to-implement, cost-effective, and future-proof solution in an increasingly mobile world. With the right backup and recovery tools, that can be a simple fix.