Governments Are Soft Targets for Cyber-criminals – WHY?
Government agencies store sensitive data of citizens: Hackers target government agencies due to the confidential information they store, including the data of citizens (such as addresses, driver’s license numbers, Social Security numbers, financial data, and healthcare records). They also house information critical to local or national security. Other hackers are interested in gaining access to sensitive infrastructure to damage control systems or disrupt public services.
Further to my understanding of the highly prone IT infrastructure of government, lately, I got the opportunity to know more about it in a meeting with the Director of Corporate Security, Risk Management and IT Compliance
at one of the biggest government agencies in Ontario. I was shocked to learn that the Ministry’s corporate security office considered Employees as the biggest threat to its cybersecurity. My counterparts in the Middle East, Asia, and Europe also supported the fact. In 2019, human error caused security incidents in 87% of government entities, and system downtime for 14% of them. Additionally, 43% of government IT professionals said they investigated
security incidents that involved insider misuse. I also observed during my discovery calls and need assessment meetings with government agencies that most of them are using older versions of software, which are more vulnerable.
Implement security governance or risk management: Many reputed third party consulting firms endorse the importance of security governance and risk management, and it is widely accepted by many. However, the majority of government organizations have not yet implemented essential security governance or risk management measures within their IT infrastructures. During one of my discussions with an IT security officer, I came to know that most of the government agencies don’t have dedicated security personnel, leaving compliance and security to be shouldered by IT operations teams alone. Governments are doing little to modernize cybersecurity practices. They continue to focus on protecting endpoints, corporate mobile devices, and on-premises systems, even as the threat landscape and modern IT infrastructure have changed. For example, many of the government entities do not have any visibility into BYOD and have no visibility into their cloud infrastructures.
General Conclusion: The general conclusion we can draw is that government agencies need to start approaching IT risk in its entirety: Senior management must get more deeply involved and fund cyber-security initiatives. Otherwise, their IT teams will not have the visibility required to maintain stable IT operations, comply with regulatory requirements, and identify ongoing security threats. I’d highly recommend all government entities, be it municipal, provincial, or federal, to have cyber risk assessments like Vulnerability Assessments, Penetration Testing, Network Architecture Review, Security Configuration Review, and DLP conducted by companies like Connectis Group.
We are a Canadian Enterprise Information Security company delivering comprehensive security solutions and competitively priced security services to a myriad of industry verticals and government agencies, empowering enterprises to achieve a business enabled defense-in-depth security posture, manage corporate risk, improve compliance, and attain proactive detection and prevention of security threats to their computing infrastructure, data, and applications.
If you got Questions: We are happy to answer your questions regarding cyber security, incident response, risk and compliance, security consulting, penetration testing and vulnerability assessment coupled with our breadth of security offerings, we’ve been assisting clients of various sizes for over 25 years. Through strong partnerships with leading IT Security solutions and technology companies, Connectis Group can design, implement, and support cost-effective security solutions to meet your organization’s needs.