The federal government is normally tasked with defending its people and all institutions under the banner of the United States. Cyber threats have unfortunately changed this perspective and forced us to go beyond traditional perimeter security. State administrators must now be responsible for cyber security in addition to all other duties. Protection of information is not new for states, but how we protect information is. In 2017, there were 42 state level bills introduced to improve state government cyber security practice. State legislators are clearly interested in improving cyber security and recognize that the government is the first line of defense for citizen data.
The Most Dangerous Threat
For state agencies, the most significant risk is none other than insider threats, both negligent and malicious intent. Protecting the citizens of your state from cyber attacks now requires that you focus on internal threats. Those are your everyday employees, contractors, third-parties, and other government agencies. One of the most in-depth studies on the cyber risks that government institutions face came from a joint effort authored by the Secret Service, National Threat Assessment Center (NTAC) and the CERT Program of Carnegie Mellon University. The authors of the report detail cases and the fallout from malicious employee activity. Additionally, a report from the Ponemon Institute discussed how often insider incidents are the result of negligent security practices by well-meaning employees. This year’s high profile data breaches and ransomware cases were the result of a negligent employee.
State Level Challenges
States face many nuanced barriers when it comes to implementing good cyber security practices. Some of the barriers are within the control of the state, while other barriers are dependent on wider factors. These barriers include financing, attacker sophistication, and a severe skills gap.
Financing Constraints
Public sector financing is one of the central reasons why states are behind when it comes to cyber security. Among states the principal priority is the development and preservation of optimal outcomes, a data-at-risk approach can aid decision makers with understanding the risk that comes with poorly secured state institutions. Financing often impacts the ability for state institutions to keep systems up-to-date, use the latest cost-effective practices, or even have access to security management awareness.
Attacker Sophistication
Malicious actors have become very sophisticated in their development of malware and coordination of attacks. Much of the coordination, transactions, and development occurs on the darknet outside the scope of government and security agencies. The increased organizational capability of hackers is an increasing threat to state level institutions. Cyber criminals now have the capability to collapse a government with little more than a simple ransomware.
Skills Gap
The private sector has been decrying the cyber security skills gap and shortage of workers for this highly specialized task. For the state agencies it’s even worse. With a shortage of talent available, the salaries state agencies can offer are often not as competitive with the private sector. This presents a challenging problem for the states and is closely connected to the financing issue for public sector organizations in general. Without a significant increase in budget for more IT support and cyber security development, state institutions face continued skill shortages.
Effective Practices
As stated above insider threats are one of the highest risk areas for state institutions and government overall. Insiders are vulnerabilities in themselves and can introduce malware to your network or create a backdoor for theft that would have been otherwise blocked by your antivirus or firewall. The following measures are vetted practices that have worked for private companies and public sector institutions alike.
Integrated Data Governance
The data that flows through your institution needs to be protected but first you need a formalized system of managing that data. By integrating information into your daily governance you gain a strong understanding of how data flows in the local government. This requires an examination of people, policies, processes, procedures, and protocols. This is a time intensive undertaking, so it is good practice to establish a committee who can commit a few hours to gather this information and develop the policy and framework for information governance.
Principle of Least Privilege
This principle revolves around the idea that a user should only have the minimum amount of access and permissions necessary to perform their job. Anything more and you expose your organization to an insider breach. Least privilege requires that you manage permissions beyond the default settings and make them relevant to your context. For privileged users, it’s important to give them two accounts, one that gives them the minimum amount of privileges to do their jobs, and another standard account for non-privileged duties.
Behavior Baselines (Network and User)
In the public sector, baselines are very common practice. It’s used to compare performance in development and a variety of other areas. When it comes to cyber security, it can also be an incredible practice to prevent insider threats. It’s commonly referred to as user behavioral analytics. It’s recommended to use monitoring software capable of tracking both network and individual employee behavior to know your baseline. Be sure to keep watch for deviations from the baseline and watch for suspicious behavior. Best part about this technology is it’s automated thanks to both machine learning and other advancements.
Your state is fully capable of keeping your citizens secure. It’s just a matter of recognizing what the highest priority threat is. Insiders may be negligent and mean well or they can be malicious and intend to sabotage. Just be sure to stay vigilant and are managing your data with best practices to prevent insider incidents. It’s suggested to use the Common Sense Guide to Mitigating Insider Threats as your go to resource.
By: Isaac Kohen, Founder and CEO of Teramind
The Gallery is a forum for ideas and examination of matters facing state and local government. Readers, members of the media, academics or the business community are invited to submit guest columns to bailey{at}civsourceonline{dot}com. Member of the public sector? We’re interested in hearing from you too. CivSource does not endorse the views presented in The Gallery, but offers them in an effort to present more diverse coverage. CivSource will review all submissions but does not guarantee publication of all works submitted.
