State governments aren’t invincible to cyberattacks. If your state agency handles sensitive information, follow these tips for cybersecurity in the public sector.
Cybersecurity and the Public Sector
The public sector has become a prime target for cybercriminals because of the wealth of sensitive information that state and local governments hold. That’s true across a wide range of government services, from law enforcement, healthcare, education, and the judicial system down, to libraries and local parks.
For most of these organizations, the “new normal” is cybersecurity first, everything else second.
For example, a 2019 study published by SolarWinds found that roughly 18 percent of respondents from public sector organizations in Britain reported more than 1,000 cyberattacks in the previous year, up from 14 percent in 2017. Of these cyberattacks, the most common were phishing (95 percent), malware (86 percent), and ransomware (54 percent).
These figures suggest that the greatest room for improvement lies in internal operations, and can be addressed by educating employees about potential cybersecurity threats such as phishing.
Indeed, the increasing use of phishing by cybercriminals to trick users into divulging their password credentials is alarming. A report from the Anti-Phishing Working Group (APWG) found that the number of phishing attacks doubled over the course of last year. The report also found that business email compromise (BEC) scams became more costly for victims in 2020, increasing from $48,000 in the third quarter to $75,000 in the fourth quarter.
To improve cybersecurity in the public sector, state and local policymakers must make thoughtful decisions that respond to the challenges of their growing populations, increased interconnectivity, changing expectations of government services, and the uncertainties of security in cyberspace.
States must also begin to think holistically and adopt comprehensive, risk-based cybersecurity strategies. Rather than simply responding to the most recent cybersecurity incident or headline, state and local governments need to take a longer view and instill best practices that are flexible and capable of adapting to an evolving threat landscape.
Implementing cybersecurity and policy frameworks is one way the public sector can meet those challenges, while enabling state employees to better protect their systems.
By following the recommendations and strategic approaches laid out in the following sections, state and local governments can innovate, advance their security goals, and better protect their information technology systems and their citizens.
Examine Existing Policies and Procedures
Now is always the best time to strengthen and build upon your cybersecurity measures. Begin by assessing how mature your cybersecurity program is. Once you’ve identified vulnerabilities, prioritize them to their likelihood of occurring and their potential harm. Then address each one in a remediation plan.
State and local governments can use a number of existing resources to compare their own cybersecurity policies. For example, the NIST Cybersecurity Framework is a strong baseline for cybersecurity state policies. FedRAMP is another resource that state and local governments can use to bolster their existing cybersecurity procedures.
These frameworks provide a high-level, strategic view of cybersecurity risk to help states better understand their own risk profiles. Then a state can apply the principles and best practices risk management to improve the security and resilience of its critical infrastructure and services.
Use this checklist when examining existing cybersecurity policies and procedures:
- Begin with the basics. Make sure your data backup and restoration capabilities are strong, and match the data retention policies for tiered data classifications.
- Create a disaster recovery and business continuity plan, and make sure it is current and tested to assure that fault tolerance and resilience are built in.
- Reduce your attack surface by collapsing networks and building partitions and micro-segments so that viruses, malware, and bad actors cannot traverse the whole network easily.
- Automate your software patch program and install monitoring to assure all critical systems are patched to latest software versions, including endpoint security.
- Set secure configurations for firewalls, routers, and switches.
- Implement “data at rest” and “data in transit” protection; encrypt sensitive data and personally identifiable information.
- Protect user credentials by using two-factor authentication.
- Understand threat vectors and steps in place to mitigate:
- Social engineering and phishing
- SQL injecting and remote control execution
- Cross-site scripting (XSS) vulnerabilities
- DDoS attacks
- Server vulnerabilities
- Understand basic defense measurements:
- Patching and staying current on all patch levels
- Restricting administrative privileges
- Network and application firewalls
- Application whitelisting
- Pentesting and vulnerability scanning
- Dual-factor authentication
- Virus protection
As the data created and stored by state and local governments has increased, so too have legal and regulatory obligations. It’s increasingly important that states examine their compliance and procurement policies, and assure that their vendors can meet compliance through the vendors’ own tools and services.
Establish a Cybersecurity Team
Perhaps the most important step to achieve strong, ongoing cybersecurity is to establish a team of specialists who can help your state or local government to build its cybersecurity policy.
Many states have cybersecurity expertise sprinkled across industry sectors and academic disciplines, and those people would likely be eager to contribute to a state cybersecurity policy. Try designating a “cybersecurity council” to bring those experts, to develop cybersecurity strategies for state governance and to help respond to ongoing threats.
In addition, states should also have a chief information security officer (CISO) and dedicated staff working on cybersecurity around the clock.
There are also opportunities to share knowledge with other cyber partners, too. The Multi-State Information Sharing & Analysis Center (MS-ISAC), for example, was created to improve the overall cybersecurity posture of state, local, tribal, and territorial governments.
Likewise, collaboration with the federal government and the private sector are also keys to success. For example, the Department of Homeland Security works with states to foster cybersecurity programs. The public-private InfraGard FBI partnership is dedicated to sharing information and intelligence to prevent hostile acts against the United States. Partnering with a trusted cybersecurity firm can provide security posture assessments, penetration testing, and application and port scanning.
Create a Cybersecurity Culture
In most cases, regardless of whether an organization is in the public or private sector, the weakest link in the security chain is careless or uninformed personnel. Only eighteen states today, however, require cybersecurity training for all their employees.
Empowering employees with the skills they need to be prepared to protect against increasingly sophisticated threats is important to crucial to effective security. Creating a “culture of cybersecurity” can reduce the risks from cyberattacks, and state and local governments should implement a robust cybersecurity training program for all state employees.
Improving cybersecurity awareness within the workplace also extends to resilience. Assuring state networks can adapt, recover, and continue to operate after an attack occurs not only boosts a state’s security; it can create opportunities for states to build comprehensive, long-term strategies that set them on a path toward digital transformation.
Moreover, embracing cyber resilience can promote a culture of innovation, generate new avenues for investment, and contribute to a vibrant and economically competitive state.
Employ Cybersecurity Tools
One tool available to states seeking to improve their cybersecurity posture is cyber insurance. Cyber insurance complements your state’s cyber risk management process by providing financial protection against risks that can’t be fully mitigated.
Insurance isn’t a substitute for a strong cybersecurity strategy and practice. Indeed, many cyber insurance policies require that states meet a certain set of cybersecurity standards, such as regular staff training, encryption of sensitive data, and keeping security software current.
Ultimately, cyber insurance forces governments to implement strong cybersecurity practices. That increases the overall health of the states’ technology systems and protection of their data — benefits that go far beyond helping a state to recoup any financial losses suffered in a beach.
Cybersecurity Tools and GRC
Fortunately, governance, risk, and compliance tools can make managing your organization’s cybersecurity posture easier.
ZenGRC from Reciprocity can help you manage risk and compliance with confidence, providing a flexible solution based on your needs.
Allowing you to remediate any weaknesses, either through security patches to software or through changes to data collection practices, ZenGRC helps your organization be more prepared to report risk assessments and remediations to other parties.
ZenGRC also can integrate new threat alerts or updated regulations into your existing compliance program as they come along.
Schedule a demo today to learn more about how ZenGRC can help you and your state or local government organization improve your cybersecurity posture today. Worry-free government security and compliance: That’s the Zen way.