IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Two Top Areas to Mitigate Government’s Cyber Woes: Part Two

Remote work and underinvestment have created a public-sector security environment ripe for exploitation — the government must respond. In the second part of a two-part series, Oracle leaders talk processes.

Servers shutterstock_141093727
There are two main avenues governments can pursue to reduce the risk of cybersecurity threats: people and processes. In the first installation of this two-part series, we examined how governments can better educate the workforce and the public on the dangers of cyber crime and in turn lower risk.

Now, we turn our attention to government processes, whose complex nature is a main contributor to spikes in breaches. Many government IT systems are highly complex, siloed and hard to manage. As agencies contract with different vendors for different functions across the IT stack, it becomes impossible to maintain an end-to-end view of activity. As a result, inevitably there will be blind spots providing openings for security breaches.

DEVELOPING AN IT INFRASTRUCTURE: KEEP IT SIMPLE


To combat this, it’s important for companies to keep in mind that, ultimately, complexity is the enemy of good security. It’s imperative that agencies build IT infrastructures that are easily monitored through a single pane of glass — not necessarily meaning that these systems should be less complex, but rather that systems should be configured in a consistent manner and share information.

The challenge here becomes cost. Most smaller local and regional governments don’t have the resources to implement the advanced security services that some of the major vendors provide. Keep in mind that the average cost associated with a data breach was more than $4 million from May 2020 to March 2021. In the U.S., the average cost is even higher, topping $9 million. So the upfront spend to streamline systems is actually a sound investment when considering how badly a breach can damage a business and its balance sheet. Fortunately, there is a cost-effective solution: the cloud.

Whether an organization operates in on-premise and/or cloud environments, security duties are separated and shared between customers, system integrators and vendors. Each group has control of their specific functions and generally policies are not shared or spread across groups. As government organizations progress in their cloud journey, cloud service providers can play a larger role and reprieve government organizations of some cybersecurity duties. This is especially important as many government organizations may not have the right resources to address their security needs. Cloud service providers bring expertise and tools that government organizations might not have access to otherwise.

Beyond the improved separation of duty, cloud is scalable, cost-efficient, highly available and allows consistent, high-functioning security controls and architecture. Perhaps one of the most compelling arguments to move to the cloud is the opportunity for automation, which can prevent mistakes and keep systems updated without bringing down critical systems. A truly autonomous system eliminates the opportunity for human error. Cloud automation and autonomous software is self-patching and can prevent breaches where patches exist but aren’t applied. Many clouds also provide artificial intelligence and machine learning as well as user behavioral analytics.

While moving to the cloud outsources infrastructure cybersecurity, the government still must manage the threat of omission and commission by their application users. Therefore:

  • If users are accessing systems with personal technology, ensure that additional security mechanisms are in place to combat risks related to accessing systems from nonagency owned devices.
  • Preventive and detective controls should be in place to stop and/or monitor duplicate transactions and sensitive changes such as banking information for suppliers.
  • Segregation of duties needs to be enforced to ensure that users have appropriate access for their job duties and functions without imposing additional risk.

An organization’s security is only as strong as its weakest link — whether that be its people or its technology platforms. As we enter a new era for the public sector, it’s important to secure all the components and be proactive. Bad actors are out there and will continue to find a new way to make money at our expense. Security must be built into the agency’s culture, training and technology. Making security central to the operation of your agency is the only way to combat the threats we see today.

David Knox is Oracle's group vice president for government and education solution engineering. Martin Benison is the company's industry executive director for state and local government.