E-Government Security Threats BYOD – “The Elephant in the Room” Dr Martin Koyabe Head of Research & Consultancy (CTO)
E-Government Security Threats BYOD – “The Elephant in the Room”
Dr Martin Koyabe
Head of Research & Consultancy (CTO)
© Commonwealth Telecommunications Organisation
What is e-Government ?
“ The use by government agencies of information communications technology to transform relations with citizens, businesses, and other arms of government.”
Source: World Bank
2
radically
© Commonwealth Telecommunications Organisation
Why e-Government ?
“around 170 out of 193 countries have implemented some form of ICT (i.e. just having a website or even an email) “ Source: ITU
3
Better
Government
Government
Efficient
Participatory Effective
Accountable
Transparent
© Commonwealth Telecommunications Organisation
e-Government Interactions & Relationships
4
Government
Citizens
Business G-to-C
C-to-G
B-to-C
C-to-B
G-to-B
B-to-G G-to-G
C-to-C
B-to-B
© Commonwealth Telecommunications Organisation
South Korea e-Government Portal
5
Note: Very interactive despite having complex backend processing
© Commonwealth Telecommunications Organisation
Swedish Tax Agency Portal
6
Note: Very trusted and easy to use
© Commonwealth Telecommunications Organisation
Challenges & Obstacles in e-Government
#1 – Technical
– Lack of adequate IT infrastructure
opublic service legacy systems still being used
– Lack of technical knowledge
o in deploying e-government strategic programs
– Lack of efficient & robust secure system
o in terms of information security & data privacy
7
© Commonwealth Telecommunications Organisation
Challenges & Obstacles in e-Government
#2 – Political
– Low prioritization of e-Government initiatives
o Lack of policies, regulatory structures & resources
– Poor strategic vision
o Lack of integration with mainstream strategies
– Lack of broad partnerships & collaborations
owith relevant multi-stakeholders
8
© Commonwealth Telecommunications Organisation
Challenges & Obstacles in e-Government
#3 – Cultural
– e-Government -> “Big Brother”
oPerception of government spying on its citizens
– e-Government -> “Retrenchment”
oFears by public service staff about loosing jobs
– Lack of confidence/trust in using e-Government systems
oPoor education and lack of awareness
– General fears
oAbout loosing control or ownership of information
9
© Commonwealth Telecommunications Organisation
Challenges & Obstacles in e-Government
#4 – Legal/Regulatory
– Lack of relevant legislation
oData protection & privacy laws critical
– Non-existence of cross-border peering agreements
oTo apprehend or pursue cybercriminal criminals
– Less friendly regulatory environment
oNeed to encourage investment
10
© Commonwealth Telecommunications Organisation
Hundreds of targets
Dozens of campaigns
Direct/Indirect attacks
Target Security Threats
Source: Symantec
© Commonwealth Telecommunications Organisation
Target Security Threats (per Sector & Function)
Source: Symantec
© Commonwealth Telecommunications Organisation
Security Trends Impacting e-Government
13
“The Mobile – Paradigm Shift, is among the four key security trends impacting e-Government. Others are Malware, Targeted and Data Breaches attacks. “ Source: Symantec
© Commonwealth Telecommunications Organisation
“The Elephant in the Room”
• Bring Your Own Device (BYOD)
– BYOD refers to smart phones and tablets that are not owned by the organisation
14
© Commonwealth Telecommunications Organisation
Unmasking “The Elephant in the Room”
• Despite high rate of BYOD adoption – Governance not well understood by many organisations
– Initiatives sometimes approved without a business case
– Inadequate information security functions
15
Study on BYOD Source: ISF/Ponemon Institute
© Commonwealth Telecommunications Organisation
Main BYOD Risks
• Caused by ownership of the device
– Exposes organisations to different risk caused by owners behaviour & constrains available controls
16
Study on mobile devices Source: ISF/Trustwave Study (2013)
© Commonwealth Telecommunications Organisation
How do you manage BYOD risks?
• Approach should be information-centric
– Impact on data (information) should be the focus
17
Physical
Software
Data
• Hardware
• Connectivity
• Operating system
• Applications
• Information
© Commonwealth Telecommunications Organisation
Managing BYOD risks
• #2 A threat and Vulnerability assessment
– Determines the likelihood of that impact
18
• #1 Conduct a Business Impact Assessment
– Impact on organisation should Confidentiality, Integrity or Availability of information is compromised
– Where applicable, use existing BIA for guidance
© Commonwealth Telecommunications Organisation
Managing BYOD risks
• #3 Conduct a Risk Treatment – Mitigation – applying appropriate security controls
o e.g. malware protection, mobile devise management (MDM) or Data Loss Prevention (DLP)
– Transfer – risks are shared with an external or via insurance – Avoidance – risk are avoided by cancelling a particular BYOD initiative – Acceptance – Business owners take responsibility
19
© Commonwealth Telecommunications Organisation
Managing BYOD risks
• Other deployment issues to consider – Implementing BYOD in the organisation
o Need to define governance structures and policies
– Evaluation
o Collect metrics and user feedback
– Enhancement
oMaintain effective risk management efforts
o Update the BYOD programme strategy and policies
20
© Commonwealth Telecommunications Organisation
My thoughts
• BYOD is here to stay
• Ignore BYOD risk at your own peril
• BYOD ownership behaviour adds more risk
• If you want BYOD be prepared to compromise
• BYOD data/stored information is more important
21
© Commonwealth Telecommunications Organisation
Finally
• e-Government is not the destination it’s the path to the destination
22
© Commonwealth Telecommunications Organisation
Martin Koyabe e: [email protected] m: +44 (0) 791 871 2490 t: +44 (0) 208 600 3815
23
Q & A Session