Build public trust by tightening security preparedness
- By Stephen Treglia
- Oct 05, 2015
Government agencies have been subject to criticism of late due to the ongoing struggles with data protection. While the public sector accounted for only 11 percent of all data breaches in 2014, according to a survey by the Identity Theft Resource Center, government data breaches are among the most highly criticized. In the private sector, the loss of trust after a data breach results in greater customer churn and reduced profits. In the public sector, relationships are not bound by the same economics; those affected by a data breach either have no fiscal resource to express their loss of trust or no alternative service provider. What we see instead is a loss of faith in the competency of governments as a whole. In order to bolster confidence among their constituents, government agencies need to dramatically increase their accountability towards data security.
According to the Government Accountability Office, data breaches at government agencies involving personally identifiable information have increased by 91 percent in the past eight years, rising from 5,503 data breaches in 2006 to a staggering 67,168 in 2014. This year, the series of data breaches at the Office of Personnel Management affected more than 21.5 million people. This breach places sensitive information such as military records at risk, triggering reactions throughout the government sector.
Despite the publicity surrounding the increased risk, government agencies are still demonstrating an alarming absence of oversight regarding data security. In the case of the OPM breach, reports as recent as March 2015 indicated “persistent deficiencies in OPM’s information system security program.” If weaknesses are identified and then ignored, at what point does insufficient IT security then become negligence?
Responding to the fallout of the OPM breach, and the ongoing rise in federal data breaches, Sen. Orrin Hatch (R-Utah) and Sen. Tom Carper (D-Del.) recently introduced the Federal Computer Security Act of 2015, a bill that encourages good “cyber hygiene” within federal government. The act would highlight whether agencies are using up-to-date security practices and software, but the act falls short of applying any accountability towards actual compliance. The same can be said for the current standards set by the Federal Information Security Management Act, which provides a framework for security standards, but which does not measure or fine for failure to implement security standards effectively. Currently, failure to comply with FISMA standards results in a poor public report card, which could lead to reduced agency funding or congressional testimony by the CIO.
While its own data security practices come under fire, the Third Circuit recently affirmed the Federal Trade Commission’s authority to regulate data security standards of commercial entities. FTC Chairwoman Edith Ramirez noted that “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.” The government has reaffirmed its dedication to enforcing security in the private sector, yet has not placed the same level of scrutiny on the public sector which shares in these same struggles.
In order to save face, and regain public trust, it’s important that agencies step up to ensure confidence in their own infrastructure. Despite the alarming statistics, there is a way to move forward and regain public trust. Numerous reports have indicated that many agencies fail to move beyond independent audits and reports into actionable plans. To be successful, they should consider the following:
1. Perform a risk assessment, to understand where data is, where it’s being used and by whom. This risk assessment must extend to vendors and contractors as well as data on the endpoint, including devices accessing sensitive data that may not be owned or secured by the agency directly. This review can be conducted internally or by an external auditor.
2. Create an actionable plan to address security risks with a combination of education, security policies and technologies that protect data, wherever it resides, and has the ability to detect and contain a data breach.
3. Automate, wherever possible, to avoid ‘putting off’ data security updates. This includes automated patching as well as automated alerts if data is put at risk. For example, if an agency’s endpoint device travels beyond a geographic zone or its encryption is offline, the device can be remotely secured to protect critical data and network access from that device.
4. Make security a top-down priority in every agency. If the government is going to hold private companies accountable for security, it needs to make security a priority in every agency of its own. The only way to do so is to ensure security becomes a top-down priority, backed by a strong security team, within every agency. This will help hold every agency accountable for its own security.
5. Leverage a layered security strategy to protect data, wherever it resides, for its entire lifecycle. A layered strategy better enables IT to cope with the rapid pace of change caused by mobility, the cloud and even the changing risk landscape. Leverage technologies that will help identify potential security threats and respond rapidly before they become damaging security incidents.
Unfortunately the public sector does not have a great track record when it comes to data protection. In order to reduce public cynicism, government agencies will need to demonstrate that they are addressing their own security affairs. Accountability plays a major role in this, with formalized security inspection and regulation required to order to hold agencies responsible for poor data security practices.
But until this has been mandated, government agencies can reconstruct trust in public administration by addressing issues of data governance and social responsibility.
Stephen Treglia is legal counsel and HIPAA compliance officer to the Investigations Section and Recovery Services Department of Absolute.