Top 6 Cybersecurity Fails in the Public Sector

Post Date: 08/15/2017
feature image

Hackers aren’t just whiz kids with too much time on their hands trying to annoy people with spam and viruses. It’s big business nowadays. With more and more sensitive transactions taking place and more valuable information becoming digitized, criminals are more motivated than ever to hack into sensitive infrastructures like those of government or financial institutions and try to make an illicit buck. After all, data is our new currency.

Not only can individual hackers with financial motivations cause problems for the public sector, but espionage from other nation states can put American intelligence, and by extension, American lives at risk. However, there are some ways to fortify government networks while also enabling the use of modern cloud solutions. By using compliant solutions that have been properly vetted and maintaining a proactive cybersecurity strategy, government agencies can stay a few steps ahead of a cybersecurity breach. Below, we outline a few of the key pillars to consider for cybersecurity in the public sector.

  1. You might be using outdated or legacy solutions.
    A recent study conducted by the United States Government Accountability Office (GAO) highlighted that there has been a $7.3 billion decrease in government spending on the development, modernization, and enhancement activities since 2010. That means most of the annual IT budget is being used to operate and maintain legacy IT systems within the federal government. So, if you work for a federal government agency, it’s not unlikely that your network relies on a legacy system. Not only are these systems are older and require more maintenance, they are also more vulnerable when it comes to security. Digital transformation and modernization of your IT infrastructure can also be tied to improved data governance, data protection and a state of the art cyber program. Rather than the traditional “lift and shift” mentality, agencies can instead take the opportunity to review and reduce legacy data, minimizing the costs of storing redundant, obsolete and trivial information, while at the same time reducing the risk of storing sensitive data in an unprotected and outdated system.
  2. Not be participating in “Patch Tuesday.”
    Patch Tuesday, when Microsoft releases security patches and updates for its software and solutions, is an extremely important day. These monthly (and sometimes bi-monthly) patches and upgrades can be extremely valuable, as cyber criminals are constantly looking to exploit loopholes or gaps in your IT infrastructure. Participating in Patch Tuesday is an easy and simple way to help mitigate the risks of cyberattack in your agency. Don’t ignore Patch Tuesday, or else you could be leaving a door open for hackers. At the same time, take the opportunity to work with your privacy and cyber teams to learn about new updates to the software and solutions you are using, particularly if they are being “pushed to your organization,” as is often the case with cloud solutions. Do not become a victim of “excessive collaboration” as is sometimes the case in well intentioned new features as they are rolled out across your environment.
  3. Falling for personalized “spear phishing” scams.
    Phishing scams are aimed at individuals or companies, and it can be hard for many people to identify. A fraudulent email is sent disguised as one from a reputable institution or acquaintance that the victim would recognize (a bank, a family member, etc.). Then, the victim is often directed to a fraudulent link or an infected attachment. The criminals can then access the victim’s information and use it in myriad ways, such as holding data hostage until a payment is submitted (such was the case with the recent high profile attacks called Petya, NotPetya and WannaCry). This means any staff member could inadvertently open a door for hackers into the network. Every agency (and every organization) has at least one person that will click on anything. It is important to educate staff about spear phishing and other targeted hacking tactics so they have a better chance at identifying them and taking the appropriate action to alert IT. This education cannot and should not be simply a mandatory once-a-year security or privacy training, but rather should be appropriately embedded into the culture of the organization. Security and privacy should be a part of every employee’s job description. The expectation should be set up front that data protection is their responsibility as well as that of the security and privacy teams.
  4. Not using a next-generation security solution.
    These days, a robust firewall isn’t enough to fend off cybercriminals. Most government agencies are required to comply with stringent cybersecurity regulations, but not all public sector organizations have a strong, multi-faceted security appliance in their cybersecurity strategy. You need other solutions like real-time network monitoring and spam monitoring, etc. The more layers in your security infrastructure, the more barriers there are between your sensitive data and those hoping to obtain that data for nefarious purposes. Further, many organizations are slow to realize that they have been breached simply because they do not really understand and have not appropriately identified the data that they have. Thus tagging (specifically security and classification metags) not only allow your organization to discover, map and properly protect data, but also to determine what kind of controls need to be applied.
  5. Not monitoring your network for suspicious activity.
    You may be tempted to think that the installation of a next-gen cybersecurity system is the first and last step required to gain your peace of mind. Nope. It is likely that your new system offers real-time network monitoring. Use it! Check for anomalies in your data to see if any back doors have been breached, or if an employee has accidently fallen for a phishing scam. This is a key step in the event your network is breached – the faster you can act, the less damage the cybercriminal can cause.
  6. Failing to follow incident reporting procedures.
    Because the data that public sector agencies handle can be so sensitive, there are often strict reporting procedures in the event that a cybersecurity breach does happen. For example, federal government agencies need to follow the US CERT Federal Incident Notification Guidelines if data is compromised. Make sure you have an action plan in the event your network fortress is breached, and know how and when to report cybersecurity problems.

Many cloud solutions approved for government use comply with the cybersecurity standards set forth in programs like FedRAMP. That means that the productivity and cloud solutions your organization uses today – such as Microsoft Azure or Office 365 – have cyber safety as a key priority. Combine that with a robust security strategy that includes technology, education and appropriate follow-up procedures, and the chance of a security breach are less likely. If you want to speak with us about protecting your data, please get in touch.


Dana Louise Simberkoff is the Chief Risk, Privacy and Information Security Officer at AvePoint. She is responsible for AvePoint’s privacy, data protection, and security programs. She manages a global team of subject matter experts that provide executive level consulting, research, and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts, and solutions for risk management and compliance. Ms. Simberkoff is responsible for maintaining relationships with executive management and multiple constituencies both internal and external to the corporation, providing guidance on product direction, technology enhancements, customer challenges, and market opportunities. Ms. Simberkoff has led speaking sessions at data privacy and security events around the globe. She was featured in Forbes, writes a monthly column for CMSWire, and was highlighted in the CSO Online list of “12 Amazing Women in Security”. She is a current member of the Women Leading Privacy Advisory Board and a past member of the Education Advisory Board for the International Association of Privacy Professionals (IAPP). Ms. Simberkoff holds a BA from Dartmouth College and a JD from Suffolk University Law School. LinkedIn: Twitter:

View all post by Dana S.
Share this blog

Subscribe to our blog