Photo of the United States Capitol building

Cybersecurity: Government Agencies Must Lead by Example

10 Sep 2015 by Bob Violino

While cyberattacks continue to climb in the United States, government agencies can set a good security example. Working together, local, state and federal government and the private sector can have a real impact in the fight to protect against data breaches by cybercriminals.

The media, businesses and private citizens are watching how agencies are helping the community, so it’s important for government entities to demonstrate how they are identifying cybersecurity weaknesses and implementing security measures with a security assessment.

The latest, big government data breaches

Earlier this year, a U.S. federal agency drew a lot of attention related to cybersecurity — and not in a good way. In June, the U.S. Office of Personnel Management (OPM) revealed that it had been the target of a data breach aimed at the records of as many as 21 million people. Reports noted that one of the main contributing factors was OPM's lack of visibility and control into its IT systems and vulnerabilities.

A month earlier, the Internal Revenue Service (IRS) announced that cybercriminals used taxpayer-specific data gleaned from non-IRS sources to gain access to information on some 114,000 tax accounts through the agency’s “Get Transcript” application.         

Then following an internal investigation, the IRS said it had identified more suspicious attempts to obtain transcripts using information that the attackers already possessed, which increased the total number of taxpayers affected by the breach to 334,000.         

The information involved in the IRS breach includes Social Security numbers, birth dates and street addresses of citizens. As the agency noted in a statement, the hackers gained sufficient information from an outside source before trying to access the IRS site, which enabled them to clear a multi-step authentication process.     

As both of these examples show, government systems and networks are vulnerable just as private sector IT assets are, and the repercussions can be serious because it involves personal information.

Why government data breaches are worse

Indeed, because some federal, state and local government agencies gather such large amounts of information about citizens and companies, they are likely to be targets for attack. As communications company Verizon pointed out in its 2014 Data Breach Investigation Report, the U.S. federal government maintains a “massive volume” of data on both its employees and constituents.

A brief issued in 2014 by public policy research institute The Heritage Foundation identified a number of government entities that were hit by cybersecurity breaches during 2013 and 2014. These included the Nuclear Regulatory Commission, Department of Defense, Department of Energy, Federal Election Commission, Department of Health and Human Services, Environmental Protection Agency, Central Intelligence Agency, Department of Education and U.S. Federal Courts. 

One key concern is whether agencies truly know how vulnerable they are to attack. Industry research indicates there is room for improvement. A report by consulting from PwC and CIO and CSO magazines, “The Global State of Information Security Survey 2015,” for which 9,700 business and technology executives worldwide were surveyed from March to May 2014, showed that 26% of the respondents did not know the number of security incidents their organization had detected in the previous 12 months. In contrast, the average for all industries in the survey was only 10%.

The most likely source of security incidents against government agencies is employees, the report says, including current workers (35%) and former employees (26%).

Solutions to secure government data       

So what can government agencies do to improve their security programs? Conducting a thorough security assessment is a good start.

Research firm Forrester has developed a maturity model that provides functional explanations and evaluation criteria for all aspects of a complete information security organization. It provides the foundation for Forrester’s IT security and risk program assessment engagements and provides clients with a comprehensive self-assessment tool.

The Forrester Information Security Maturity Model (October 2014) provides a framework that describes all of the required functions and components of a comprehensive security program. With a three-tiered hierarchy, it also offers a methodology for evaluating the maturity of each component of the framework on a consistent and prescriptive maturity scale and for reporting the position to a level of detail that can be adjusted for different audiences.

Forrester suggests that companies set realistic targets then demonstrate growth and improvement. “CISOs often struggle to communicate the results of their efforts, including how they’ve provided a return on security investment,” the firm says. “This maturity model provides an objective framework with which to measure progress; by setting realistic targets, you should be able to demonstrate to senior management that you’re driving improvement toward an agreed-upon goal.”

In addition to bolstering their own cyber security programs through assessments, government agencies can work with other organizations in government as well as in the private sector to enhance information security in general. And on that front, there have been some positive signs recently.

In April 2015 at the annual RCA Conference on information security, the U.S. Department of Homeland Security announced it was completing plans to open a branch office in Silicon Valley in California to “strengthen critical relationships in Silicon Valley and ensure that the government and the private sector benefit from each other’s research and development.”

And also in April, the U.S. House of Representatives passed the Protecting Cyber Networks Act as part of a bi-partisan effort by Congress to promote information sharing about cybersecurity threats.

Critical components for enhancing cybersecurity

While some technology executives are skeptical of federal government requests to share information with companies because of privacy or other concerns, many are pleased with any such efforts to increase the amount of cybersecurity information sharing. They see threat intelligence and information sharing as being critical components for enhancing the cybersecurity programs in both the private and public sectors.

Whether it’s working with other organizations to share information about threats or building a stronger internal security program via an assessment, agencies at all levels of government can play a huge role in setting examples for how organizations can protect themselves against the latest threats.

If you need an extension to your IT staff to help secure your agency, contact Insight at 1.800.862.8758. If you're still researching on your own, learn more about emerging security solutions and how they can impact your agency, visit us online. Once you're ready, take the Forrester security assessment here.