Speed vs. security in the age of pandemic
- By Tony Hubbard, Dave Buckley, Kathy Cruz
- Jun 18, 2020
The sudden imperative to move state employees to remote work followed by the unprecedented flow of billions into states coffers to pay unemployment benefits has created big headaches for government agencies.
Sophisticated fraudsters have been waiting patiently for just this moment -- the convergence of a flood of government funding and new, lax controls to allow money to get to applicants quickly. Armed with personally identifiable information obtained through data breaches and sold on the dark web, these fraudsters have applied for state unemployment compensation under false pretenses, diverting millions of taxpayer dollars and causing havoc for program officials and legitimate applicants. In addition, in states where mobile applications were quickly developed so applicants could apply conveniently via their smart phones, normal controls and processes were not implemented and, in some cases, security was compromised.
The move to remote work also led to some malicious activity as government agencies were forced to rapidly deploy remote-access solutions that were not designed to accommodate a surge of growth. Again, to get the workforce to be productive quickly, some security processes and controls were relaxed or waived.
Obviously, the pandemic forced government to balance the need for quick action against ensuring that security processes were followed and controls put into place. In the battle between speed and security, however, speed often won. Fraudsters, always watching for vulnerability and opportunity, pounced. And they are still pouncing.
In retrospect, better cybersecurity controls could have been baked into payment processes from the beginning. This upfront activity could have largely prevented the incident and response efforts that inevitably occur when security becomes an afterthought. However, hindsight is not helpful now, so what can be done going forward to bolster security and prevent fraud?
Government agencies should examine every key decision since work-from-home orders began. They should conduct risk assessments, understand the threats, vulnerabilities and consequences – and reimagine security tools and processes that should have been built in. Rather than thinking it’s too late and giving up, agencies should re-evaluate remote access and newly implemented collaboration tools, especially those involving third parties. For unemployment claims, agencies should re-examine modified applications and mobile apps to assure security. They must also look into privileged access, which may have changed, and continue to apply risk management concepts.
Above all, agencies must continue to focus on the fundamentals and make them integral to their culture. These include access management (especially for privileged users), training and awareness, consistent software patching, regular antivirus updates and well-tested business continuity and resilience processes.
While these measures can certainly help in the short term, the real solution is longer term.
If the pandemic has taught us anything, it’s the need to be resilient -- and that is especially true for government technology systems.
Broadly speaking, what has occurred over the past three months should cause government organizations to think about the next crisis and build systems that can adapt to whatever happens -- whether it is a sudden need for remote work solutions, a major program change to respond to an economic collapse or the constant need to stay one step ahead of hackers and fraudsters. In short, agencies must evolve with the environment.
When agencies anticipate disruption, technology transformation projects can be planned with resilience and adaptability in mind. Cloud-based operations must be considered for critical applications because the cloud can provide the agility, efficiency and the elasticity needed during both normal business operations and unpredictable times.
The need for speed may always conflict with concerns about preventing fraud and bolstering security. But one thing is sure: Future systems must be built for resilience, because the next technology upheaval could be right around the corner.
Tony Hubbard is a KPMG principal and leads KPMG’s government cybersecurity team.
Dave Buckley is a KPMG managing director and leads KPMG’s fraud risk management team.
Kathy Cruz is a KPMG director and a member of KPMG’s government cybersecurity team.