Just as nightmare headlines about hacks and data breaches are unlikely to subside, so too are the cybersecurity challenges that tend to keep state government executives awake at night.
Given the complexities inherent in managing users, systems, applications and networks, state government executives continually struggle, often with severely constrained budgets and limited labor resources, to deter threats and protect privacy.
State governments face an array of denial-of-service attacks, brute-force attacks and zero-day exploits and other threats from attackers who range from lone hackers to hostile foreign governments. And the threats continue to grow. Market research firm Cybersecurity Ventures predicts cybercrime around the world will cost more than $6 trillion annually by 2021, up from $3 trillion in 2015.
Last year, for example, Atlanta was hit by a ransomware attack in March that crippled its network for nearly two weeks and cost an estimated $17 million to rebuild the impacted municipal systems.
Meanwhile, during the 2018 U.S. midterm election cycle, the Departments of Justice and Homeland Security worked closely with federal, state, local, and private sector partners, including all 50 states and more than 1,400 local jurisdictions, to support efforts to secure election infrastructure and limit risk posed by foreign interference.
As state government agency leaders strive to simultaneously modernize and proactively protect mission-critical digital transactions, they must focus on four primary target areas:
- Network connectivity – networks must be protected from threats to protect information confidentiality, integrity, and availability. Accepted cybersecurity guidelines from NIST and others dictate that states must monitor, control, and protect organizational communications including information transmitted or received by information systems, at external boundaries, and key internal boundaries of their networks and information systems. To keep pace with advances such as cloud services, states must strive to employ architectural designs, software development techniques, and systems engineering principles that protect the security of state systems and information. States must rely on trusted partners who understand and can protect data and help manage security across all platforms, applications and devices.
- User authentication/management – states must limit access to mission-critical systems to authorized users, processes acting on behalf of authorized users, devices, and transactions or functions that authorized users access in their daily work. Crucial strategies for combating threats in user management involve continued user training, accountability and the use of email security solutions, since cloud services and email are among the most popular threat vectors used by attackers these days. As more state governments employ telework to enable employees the flexibility to work remotely, state leaders must also ensure they use sufficient end-to-end security controls, network separation and mobile device management (MDM) to prevent potential for breaches from the use of personal hardware or home networks.
- Change management – controlling modifications to hardware, software, firmware, and documentation is a longstanding requirement that remains a top priority because state leaders must ensure that information systems are protected against any types of improper modifications.
- Penetration testing – also known as pen testing, involves running authorized simulated cyberattacks on an organization’s systems to evaluate the strength of that organization’s security operations. Various types of ‘white hat’ attacks can help state leaders gain insights into their digital infrastructure and any potential vulnerabilities. Penetration testing is considered the most effective method for identifying any network weaknesses, vulnerable entry points or individual users who may possess poor security habits.
It Takes a Village
State agency executives face stringent regulatory requirements to ensure there are no weak links in state cybersecurity protections. But they don’t need to do it alone. State leaders should rely on trusted private sector partners to help them deter threats. By leveraging modern, technology-driven eligibility solutions, for example, state agencies can reduce both security and privacy risks. Conduent possesses deep domain expertise and a breadth of experience in transactional operations to ensure that state agencies reduce vulnerabilities, deter threats and address emerging cybersecurity challenges as they arise.
We also understand your state’s stringent regulatory requirements to protect Personally Identifiable Information (PII), Protected Health Information (PHI), and payment card information (PCI), to help you comply with state and federal regulatory oversight obligations. Ultimately, we take your state’s security requirements seriously. We can help you better protect confidential information today, and as you modernize and migrate more agency processes to digital interactions in the months ahead.