How local governments can better protect their data and applications
- By John Parmley
- Aug 08, 2018
Cybersecurity for state and local governments has always been a tricky business. Networks are more decentralized than at federal agencies, and the threat levels are different. The federal government might face bigger threats from nation-state hacking, but when local agencies fail to patch their applications, they are every bit as vulnerable.
As local governments store more personal and critical data -- including voter records, driver's license photos and even biometric and internet-of-things data -- their risk of cyberattack increases, particularly from malicious hackers. Just this year, Atlanta was hit with a ransomware attack that crippled the city’s computer network. If a city of that size isn’t equipped to defend itself, how prepared can a small town in Idaho be?
For many, cybersecurity does not appear to be a top priority. According to a survey on local government cybersecurity conducted by ICMA, 44 percent of respondents said they were the target of daily cyber attacks. Another stunning stat from this survey: Over 50 percent of citizens either do not support any cybersecurity measures set by local governments or are completely unaware of what they are. When the very people whose data is at risk do not consider digital privacy a pressing concern, it’s unlikely that the government will expend the appropriate time and effort to address the issue.
Another problem is the simple fact that local government is extremely understaffed, especially when it comes to cybersecurity roles. Security departments are notoriously underfunded, with most state cyber budgets dedicating between 0 and 2 percent of their overall IT budget to cybersecurity, which needs to be parceled out between towns and counties. Even if they wanted to strengthen cybersecurity measures and implement stronger privacy policies, many agencies wouldn’t have the money to secure the necessary tools and equipment to do so.
Fortunately, there are some cybersecurity techniques that can lighten the load of an understaffed, underequipped government security team. One practice is zero-trust access.
Zero-trust access is exactly what it sounds like: No one, inside or outside the perimeter, is granted trusted permissions. The major goal of zero trust is to maintain security across the network, rather than just inside the firewall.
At first glance, zero-trust access might sound like no one will have access to anything, but adding software-defined access to the mix paves the way. SDA gives access to users on a case-by-case basis, for only the intended, specific applications or data.
The benefits of SDA
No matter how many layers of security are added, hackers have shown they can circumvent legacy perimeter protection. Rather than exposing applications to the internet and then praying unauthorized users don’t bypass authentication layers, IT managers can use SDA to completely hide services from the outside world until it is absolutely necessary to expose them to a user that has been fully authenticated, protecting the entire data lifecycle. While this cloaking system may seem like it hinders accessibility, it actually makes mobile access easier (if you have the proper credentials), since all staff members, no matter where they are, get the same treatment.
Furthermore, when users are given access, they have permissions for only specific data and applications permissions. The access is constantly monitored and audited so that no changes in privileges occur. This supports collaboration while minimizing the risk of having too many cooks in the kitchen.
SDA can also empower IT personnel to standardize security best practices across any number of agencies or departments. A relatively small number of IT staff (which is all government IT has to work with!) can effectively monitor an entire organization, ensuring that everyone is working with the same tools and on the same page.
In order to ensure information security in government, agencies must be able to exchange data securely while granting access when needed to public servants and citizens, no matter where they are. With such access, users will find it easier to react, respond and collaborate/communicate, all while ensuring that anything exchanged is protected, monitored and available only to approved personnel.
SDA provides easy-to-implement tool that can improve cybersecurity at the state and local government levels by securing data exchange and ensuring that constituents’ data is protected.
John Parmley is North American CEO at Safe-T.