Data privacy and security are growing concerns for government organizations as well as the constituents they serve. As agencies have increasing embraced digital transformation efforts, online transactions are more commonplace than ever. At the same time, cyber threats are becoming more sophisticated. Emerging technologies such as the Internet of Things (IoT) have exponentially increased the connectivity of devices and the volume of data generated, further increasing the risk.
As organizations look to minimize and mitigate those security and privacy risks, they must confront a number of key questions. Which strategies and tactics will help ensure adequate security controls are in place? How can they adopt a cybersecurity strategy that is agile and flexible enough to evolve as data privacy and security needs change?
These concerns are not limited to government organizations, of course. In fact, public agencies may be able to learn from steps private companies have taken to address privacy and security.
Hayden AI, for example, is a company that provides autonomous traffic management technologies to governments. Security isn’t just a priority in the company’s products, says Hayden AI Vice President of Data Security and Privacy Bryan Shea – it’s a priority for the company itself.
“This includes physical security, digital security, data privacy, compliance, AI [artificial intelligence] ethics, and bug bounty programs that address algorithmic harm to minimize bias and inequity,” says Shea, a U.S. government trained intelligence officer with more than a decade of experience spanning law enforcement and national security agencies. “The big thrust is to industrialize the Hayden AI platform for enterprise-level data security.”
In a recent Techwire interview, Shea discussed how Hayden AI is setting up the required programs for scale.
“We're taking the initiative to design it for the future in a very intelligent way,” Shea says. “Part of what we're doing is, from a security point of view, embracing the attackers’ viewpoint to build a proactive program rather than a defensive or reactive program.”
Much of cybersecurity boils down to human intelligence and holistic risk assessment, Shea says.
“There's a technical component to it, like most things,” he says. “And there are humans at the other end, working on attacks and intelligence collection and probing. In a way, we're dealing with digital burglary. We are looking to bridge those gaps on the technical and physical sides.”
As a company that relies heavily on IoT data, Hayden AI leverages a “find, fix and finish,” or F3, methodology for data protection, Shea says. He adds that Hayden AI tweaks that model slightly to “find, fix and validate” to apply across an organization.
“We will apply ‘find, fix and validate’ to vulnerabilities and attack vectors that could be exploited by threat actors,” he says. “We're going to find where the attacks may come from and set up a plan to fix them. Then we're going to retest and validate. We’ll be doing that consistently across the entire enterprise.”
The methodology is a blending between the physical and the cyber world, limiting opportunities for attackers to exploit any seams and gaps, Shea says.
“It's not just protecting Hayden; it's protecting everybody that we're working with, including our customers and partners.”
New technologies such as 5G can introduce data privacy and security risks.
“One likely evolution is faster speed of attacks due to artificial intelligence-based autonomous decision-making,” Shea says. “This will place a greater burden on data privacy strategies, prioritization decisions and standard operating procedures. And perhaps more privacy-enhancing technologies like […] will become more mainstream.”
Shea identifies two security challenges that pose a significant obstacle to government organizations.
“One is a well-developed social engineering attack that takes only one wrong click; the second is persistent threats (and hunting them down). Threat actors’ behavior that is or similar to advanced persistent threats (APTs) operate at a very low level, barely tripping alerts.”
That’s concerning, he says, because such low-level alerts are typically overlooked — exactly the types of seams and gaps attackers operate within. New research, Shea says, underscores the need to rethink, reconfigure, retest and reevaluate defenses, including endpoint detection tools.
“That's why several months later is usually when these threats are first detected,” he says. “Since security professionals prioritize higher-level alerts, this is the seam and gap where these threat actors operate.”
Looking to the future, Shea says, government IT will be heavily impacted by two related trends: increased AI and increasing privacy concerns.
“Artificial intelligence and privacy are two broad headwinds, some of which seem to be based on reasonable hesitation mixed with fear and concern of abuse,” Shea says. “Part of the discussion is showing people that our activities are open and transparent; [showing] what we are doing right. It's not just talking, it's proving it.”
He cites a corporate data responsibility report from KPMG indicating that 86 percent of the general U.S. population is concerned about data privacy; 68 percent are concerned about the level of data being collected by businesses; and 40 percent don't trust companies to use their data ethically.
“I think a lot of this has to do with building trust by having very robust, honest, transparent conversations,” and providing proof that the company’s actions are aligned with its communications, Shea says. “It's also leveraging privacy enhancement technologies to protect the data.”
Sponsor Content
How to Address Growing Security and Privacy Challenges
