IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Two Top Areas to Mitigate Government’s Cyber Woes: Part One

Remote work and underinvestment have created a public-sector security environment ripe for exploitation — the government must respond. In the first part of a two-part series, Oracle leaders talk about the human element.

Security
Cybersecurity has been a major challenge for state and local governments for years, and the pandemic has only exacerbated the threat.

Today, there exist scores of new attack endpoints, and governments are a ripe target for attacks due to a lack of comprehensive security policies; a shortage of funding for security initiatives; and fractured data governance among federal, state and local governments. The security threat is magnified in the government sector because of the confidential nature of the information stored: Social Security numbers, birth certificates, driver’s license information, bank account and credit card information, and addresses for millions of people. There’s much at stake.

There are two main avenues agencies can pursue to reduce risk: people and processes. On the front end, governments must do a better job educating the workforce and the public on the dangers of cyber crime and best practices for lowering risk. On the back end, organizations must adopt IT infrastructures that reduce the complexity of their system, thereby lowering the opportunities bad actors have to infiltrate the network and shielding them from unneeded exposure.

In this two-part cybersecurity series, we’ll dive deeper into the role that people and processes play in governments’ cybersecurity stances. First up: people.

BUILDING A SECURITY-SMART WORKFORCE


Over the last 18 months, cyber criminals’ focus has sharpened to the work-from-home infrastructure as many companies and governments moved to digital operations to enable employees to work remotely. Understandably, the abrupt transition initially caught many agencies off guard, which made cybersecurity training difficult.

But now, many agencies are undergoing a more permanent transformation to a hybrid-remote model. So it’s crucial that agencies make time to provide employees with the necessary training and technology for navigating this new environment.

Because of remote working, increased endpoints and security teams that are stretched thin, it has become easier than ever for bad actors to succeed. Attackers are posing as government agencies to get data through phishing attacks. These strategies dupe citizens and employees who think some emails and texts come from official channels. Phishing is a key entry point to those type of threats. The 2021 Verizon Data Breach report found that 61 percent of attacks involved use of unauthorized credentials, and phishing rose to 36 percent (up from 25 percent). And when one phishing exercise — like a malicious email — hits its target, the whole organization is at risk of compromise.

The new reality we face makes it more important than ever that employees be trained on best practices around security. It’s easy to say that organizations should recruit and hire new workers and teams that are trained experts in cybersecurity to help train their workforce. But these types of people are like hand sanitizer in the early days of the pandemic — they're in such high demand that they aren’t available. In fact, in a recent survey by analyst firm Enterprise Strategy Group, 95 percent of security professionals said the cybersecurity skills gap had not improved in recent years.

As a result, it’s really on each rank-and-file member of an organization to make their own security education and knowledge a priority. For management, one approach is to think of it like teaching defensive driving. Organizations must train their people to identify warning signs and situations so that security incidents like breaches and fraud don’t happen to begin with.

One crucial step is to educate employees on what to do if they are targeted by a cyber threat, how to respond and what actions to take. To prepare for inevitable security incidents, agencies should use playbooks to design and offer advanced training and scenarios. One example is red teaming: mock situations in which another group acts as a malicious actor, then provides security feedback.

But it’s equally important that employees feel confident enough to admit when they’ve made a mistake for the sake of security. Human negligence continues to be the leading cause of security breaches; according to the Verizon 2021 Data Breach report, 85 percent of breaches were caused by a human element.

In the future, organizations will be judged not by whether a cyber incident occurs, but in how they react to the inevitable incident. There is no such thing as overtraining — the outreach and training for employees and constituents must be ongoing.

Join us for part two of this cybersecurity series next week, where we will dive deeper into the place of processes in security posture.

David Knox is Oracle's group vice president for government and education solution engineering. Martin Benison is the company's industry executive director for state and local government.