Four ways to protect resident data in the era of digital-first government
Bad actors and cyber extortionists are continually staging attacks on public sector properties, making enterprise-grade security essential for every local government website. From small villages to counties with millions of residents, hackers increasingly target public sector websites with cyber threats like malware, ransomware, trojans and viruses. Even a relatively minor breach or infection can lead to thousands of dollars in investigation and remediation costs, not to mention fines and lasting reputation damage.
With reports of cyberattacks regularly reported by mainstream media, residents know that they could be at risk whenever they provide personally identifiable information in exchange for access to online services. When it comes to engaging with their local government, they expect enterprise-level security, and they want it simultaneously with their desire for access to online government services anytime, anywhere.
How, then, can governments strike a balance between security and transparency? There are four mission-critical tactics helping governments give residents the online access they want while maintaining the data privacy and security they expect.
- Outsourced hosting
When an administration that hosts its website comes under a cyber-attack, it becomes easier for cybercriminals to bring down all administrative systems on that network. For that reason, many communities are choosing to outsource their website hosting to solution providers that can offer proven-effective colocation and geographically diverse data centers for disaster recovery.
Local governments that outsource their hosting also benefit from the following:
- The convenience of trusting that a critical data management component is being serviced and monitored by experts
- The ability to focus more time and attention on IT matters that require the attention and strategy of directors and other key personnel, such as leading digital transformation initiatives
- Integrated service offerings such as website design and development and a single source of support
- Hyper-alert scrutiny on attempted DDoS attacks
A distributed denial of service (DDoS) attack is an attempt where hackers attempt to flood a website with an immense amount of traffic using multiple devices and IP addresses. DDoS attacks are rising as hacktivists, nation-states and other cyber criminals try to overload websites and effectively take them offline. Local governments are proactively reducing this risk by incorporating pressure-tested DDoS mitigation strategies and processes, such as monitoring activity for unusual traffic levels. Without DDos mitigation and recovery plans, a website becomes unavailable, and its data—including resident personally identifiable data—becomes lost. Establishing DDoS mitigation protocols is crucial to identifying and combating some of the biggest threats to data security. - Using multi-factor authentication
Local governments should use multi-factor authentication to thwart man-in-the-middle attacks. These threats occur when hackers covertly eavesdrop on end users and capture their usernames, passwords and other confidential data. For example, phone-based out-of-band two-factor authentication (2FA) adds additional protections that keep hackers from snooping on staff members and using their credentials to breach the website. - Employee education as a foundation of vigilance
A growing number of cyber attackers are using the very people committed to our communities as a point of entry to government systems and data. Spoofing, malware, spyware, worms, viruses, ransomware, phishing, and man-in-the-middle attacks are avenues for cyberattackers to leverage employees as data entry points. One of the best ways to mitigate these threats is to educate employees about them and empower them to remain vigilant and question suspicious digital interactions. Also, ensure your education efforts include training on the following:
- Identifying vulnerabilities and course-correcting
- Holding training events and follow-up refresher courses on cybersecurity
- Incorporating security topics into regular department meeting agendas
- Regularly sharing updates and learning materials with your staff
- Writing a cybersecurity best practices guide
- Constructing a central knowledge base for training purposes
To ensure your training is impactful, ensure all staff members understand what is at stake and why maintaining security is crucial. Potential outcomes of a compromised platform include:
- Significant financial loss or burden to an institution
- Loss of time to litigation, recovery, and remediation
- Loss of public trust in your valuable online resources
- A decrease in website traffic and interactions with online processes
- Reduction in services utilized by citizens
- A public that is less engaged with their local government
The key takeaway: Usability remains optimized
The most critical aspect of these security features is that they do not diminish usability, access or transparency to digital government services. Residents benefit from the speed, convenience and functionality they want while trusting that their local leaders are maintaining every effort to protect their information.
As the director of information security at CivicPlus, Jim Flynn is responsible for managing the security and hosting reliability for its more than 12,000 global customers, impacting more than 340 million community members in the United States and Canada alone. Flynn has been at the forefront of cybersecurity strategy and leadership, protecting local governments from the continually evolving cyber threats that exist today. He has been with CivicPlus since 2009 and brings more than 20 years of IT security and data management experience to its customers.