Government Security and Data Breaches: Problems and Solutions

Last year’s massive data breach at the federal Office of Personnel Management (OPM) compromised the personal information of more than 22 million people and showed us that the government is no more immune to breaches than the private sector.

The details of that breach also showed that much of the OPM’s data loss simply came about because there were too many files to keep track of and outdated computer systems prevented adequate encryption. This made painfully clear the need for government (and other) organizations to adopt security policies and technologies that address the changing nature of data storage and the need to move data from old, distributed legacy file storage into centrally managed cloud storage.

However, adopting more efficient technologies to detect and protect files may often be easier said than done – especially for governmental organizations, which abide by certain limitations that private companies might not. In my experience, advising government entities like municipalities and police departments, I’ve learned that governments’ difficulties in deploying new technologies come down to several main issues:

  • Governments are often squeezed by budgets – and even when users and IT departments want to use different tools, they’re often bound by cost more than other institutions are. This creates a problem when it comes to deploying modern security measures or updating computer systems; sometimes those just aren’t budgetary priorities – but they should be.

  • Compliance does not equal security. We see this come up time and again in the hard-hit healthcare industry, which strives to comply with HIPAA but nonetheless suffers more data breaches than any other industry. Many organizations operate under the assumption that checking off the compliance boxes is enough to guarantee security, but it’s not. This disparity is a factor in government data breaches, too. Having to comply with federal regulations like CJIS often leads to a sacrifice of security – and productivity – in favor of checking off that compliance box.

  • Government buying cycles are long, and often rely on mandatory RFPs, even if the department already knows what it wants. By the time a department has gone through the arduous process and is ready to deploy a solution, it may already be outdated.

  • Shadow IT is rampant – because efficient, employer-sanctioned solutions are thus hard to come by, many departments unfortunately turn a blind eye to shadow IT. However, when employees use their own unmanaged devices and cloud-sharing solutions, confidential data isn’t being monitored or secured – and is all the more likely to be breached.

What it boils down to is the fact that many government organizations really are well-intentioned and understand the importance of strong security protocols. However, because they’re often bound by compliance, budgets, and political environments, they find themselves sacrificing security and becoming easy targets for data breaches.

In my experience, there are several steps government entities can be taking now to help protect their data

  • First, departments must prioritize security, understanding that compliance, increased productivity, and efficient workflow will all stem from having secure data.

  • Next, governments must adapt cloud solutions, which not only streamline communication and workflow, but are also much safer than outdated, on-premises legacy systems that protect only the perimeter.

  • Once a department-wide cloud solution is in place, I’d advise deploying additional security measures such as file-level encryption, data loss prevention software, and auditing capabilities that will contribute to compliance and significantly reduce the threat of data breaches.

  • Finally, having a sanctioned cloud provider – and monitoring activity across team accounts – will help reduce the propensity of shadow IT, which will in turn help keep all sensitive data on secure and managed devices. What’s more, the leading cloud storage providers have become very cost-effective, and their cost-per-usage model can actually fit into tight government budgets better than traditional software licenses.

The good news is that robust security solutions – such as cloud access security brokers, encryption measures, and bolstered security options for mainstream cloud providers – are rapidly evolving, becoming cheaper and easier to use. From the OPM breach to the backdoor encryption debate, government data breaches are in the news and on people’s minds. We can hope that these public discussions – along with the changing face of technology and security – will help government organizations address and eliminate some of the challenges mentioned above.

What’s Hot on Infosecurity Magazine?