Session 5.2 Martin Koyabe

E-Government Security Threats BYOD – “The Elephant in the Room”

Dr Martin Koyabe

Head of Research & Consultancy (CTO)

© Commonwealth Telecommunications Organisation

What is e-Government ?

“ The use by government agencies of information communications technology to transform relations with citizens, businesses, and other arms of government.”

Source: World Bank

2

radically


Why e-Government ?

“around 170 out of 193 countries have implemented some form of ICT (i.e. just having a website or even an email) “ Source: ITU

3

Better

Government

Government

Efficient

Participatory Effective

Accountable

Transparent


e-Government Interactions & Relationships

4

Government

Citizens

Business G-to-C

C-to-G

B-to-C

C-to-B

G-to-B

B-to-G G-to-G

C-to-C

B-to-B

http://www.iconarchive.com/show/pretty-office-8-icons-by-custom-icon-design/Users-icon.html

http://www.iconarchive.com/show/mono-business-icons-by-custom-icon-design/company-building-icon.html


South Korea e-Government Portal

5

Note: Very interactive despite having complex backend processing


Swedish Tax Agency Portal

6

Note: Very trusted and easy to use


Challenges & Obstacles in e-Government

#1 – Technical

– Lack of adequate IT infrastructure

opublic service legacy systems still being used

– Lack of technical knowledge

o in deploying e-government strategic programs

– Lack of efficient & robust secure system

o in terms of information security & data privacy

7



#2 – Political

– Low prioritization of e-Government initiatives

o Lack of policies, regulatory structures & resources

– Poor strategic vision

o Lack of integration with mainstream strategies

– Lack of broad partnerships & collaborations

owith relevant multi-stakeholders

8



#3 – Cultural

– e-Government -> “Big Brother”

oPerception of government spying on its citizens

– e-Government -> “Retrenchment”

oFears by public service staff about loosing jobs

– Lack of confidence/trust in using e-Government systems

oPoor education and lack of awareness

– General fears

oAbout loosing control or ownership of information

9



#4 – Legal/Regulatory

– Lack of relevant legislation

oData protection & privacy laws critical

– Non-existence of cross-border peering agreements

oTo apprehend or pursue cybercriminal criminals

– Less friendly regulatory environment

oNeed to encourage investment

10


Hundreds of targets

Dozens of campaigns

Direct/Indirect attacks

Target Security Threats

Source: Symantec


Target Security Threats (per Sector & Function)

Source: Symantec


Security Trends Impacting e-Government

13

“The Mobile – Paradigm Shift, is among the four key security trends impacting e-Government. Others are Malware, Targeted and Data Breaches attacks. “ Source: Symantec


“The Elephant in the Room”

• Bring Your Own Device (BYOD)

– BYOD refers to smart phones and tablets that are not owned by the organisation

14


Unmasking “The Elephant in the Room”

• Despite high rate of BYOD adoption – Governance not well understood by many organisations

– Initiatives sometimes approved without a business case

– Inadequate information security functions

15

Study on BYOD Source: ISF/Ponemon Institute


Main BYOD Risks

• Caused by ownership of the device

– Exposes organisations to different risk caused by owners behaviour & constrains available controls

16

Study on mobile devices Source: ISF/Trustwave Study (2013)


How do you manage BYOD risks?

• Approach should be information-centric

– Impact on data (information) should be the focus

17

Physical

Software

Data

• Hardware

• Connectivity

• Operating system

• Applications

• Information


Managing BYOD risks

• #2 A threat and Vulnerability assessment

– Determines the likelihood of that impact

18

• #1 Conduct a Business Impact Assessment

– Impact on organisation should Confidentiality, Integrity or Availability of information is compromised

– Where applicable, use existing BIA for guidance


Managing BYOD risks

• #3 Conduct a Risk Treatment – Mitigation – applying appropriate security controls

o e.g. malware protection, mobile devise management (MDM) or Data Loss Prevention (DLP)

– Transfer – risks are shared with an external or via insurance – Avoidance – risk are avoided by cancelling a particular BYOD initiative – Acceptance – Business owners take responsibility

19


Managing BYOD risks

• Other deployment issues to consider – Implementing BYOD in the organisation

o Need to define governance structures and policies

– Evaluation

o Collect metrics and user feedback

– Enhancement

oMaintain effective risk management efforts

o Update the BYOD programme strategy and policies

20


My thoughts

• BYOD is here to stay

• Ignore BYOD risk at your own peril

• BYOD ownership behaviour adds more risk

• If you want BYOD be prepared to compromise

• BYOD data/stored information is more important

21


Finally

• e-Government is not the destination it’s the path to the destination

22


Martin Koyabe e: [email protected] m: +44 (0) 791 871 2490 t: +44 (0) 208 600 3815

23

Q & A Session

Session 5.2 Martin Koyabe

Technology

organisation o need

citizens egovernment

cultural egovernment

arms of government

byod source

government citizens

device byod byod

lack of technical knowledge