Rethinking Cybersecurity in a Boundaryless World
Government agencies are embracing a zero-trust approach to risk management.
In a world increasingly defined not by physical boundaries but rather digital ones, the volume of cybersecurity incidents across the globe continues to rise and with it the challenges facing public sector agencies. The stakes for protecting constituent data are more important than ever before. To defend against these digital threats, government agencies are embracing a zero-trust approach to risk management.
Zero-trust is a framework or model centered around a “trust nothing and verify everything” mindset. It allows government agencies to safeguard their environment no matter where data and people are located, enforce security policies and better prepare for what might happen next. Most importantly, zero-trust helps governments maintain public trust. When effectively implemented, this framework allows government agencies to ensure constituent data is secure while still providing an experience that is easy and seamless.
As government and public agency leaders continue along their zero-trust journey, here are a few considerations for those looking to continue lowering their risk exposure and enhancing cybersecurity:
Establish strong data governance
Government agencies must work to recognize cybersecurity risks, make risk-based decisions regarding resource allocation and seek resources to address vulnerabilities. It is essential that they adopt an enterprise approach that incorporates technology offices such as the chief information officer and program and functional offices, including personnel and procurement. They need to prioritize information requiring the highest protection levels.
In addition, as organizations continue moving towards automation, it’s important to recognize the data requestor may not be human. Many agencies utilize development, security and operations—or DevSecOps—to address these concerns. With DevSecOps, security is embedded up front and throughout the entire solution development lifecycle and reduces cyber risk and vulnerability as a result.
Prioritize identity management
Strong identity management employs authentication and user rights to help ensure access only to authorized people. Cyber analytics is just one method of enhancing an organization’s identity management. It can analyze user behavior, such as keystroke dynamics, mouse movements and navigation patterns; contextual factors, such as location, device and time of day; as well as external threat intelligence, such as malware, phishing attacks and identify theft.
Other solutions include zero-trust capabilities already in use by government organizations, such as role-based access control, multi-factor authentication and access where each user or device is granted the minimum system resources to perform its function.
Establish accountability
Understanding data assets is essential to personal and organizational accountability. Government organizations must implement effective, efficient network controls and monitor their use and effectiveness. They should also continually probe and test cybersecurity capabilities through simulated attacks on data, applications and services.
Implementing a zero-trust framework does not have to be a costly endeavor. Through the repurposing of existing cyber tools and capabilities, leaders should be able to unlock cost savings while enhancing their cybersecurity.
Foster a cybersecurity mindset
To effectively strengthen cybersecurity, all employees must participate. Organizations who successfully implement a zero-trust architecture ensure that all personnel recognize the importance of data protection. Cybersecurity is viewed as a top-down, bottom-up collective mindset by the entire workforce. In addition, ongoing “cybersecurity hygiene” is used as an invaluable tool along with leadership serving as “cybersecurity champions”.
Cyberattacks and threats to data protection show no sign of slowing in our increasingly boundaryless environment. Governments must act now to continue to bolster their cyber defenses if they hope to safeguard constituent information and maintain the public’s trust.
Tony Hubbard is a principal and government cyber security leader at KPMG U.S. and Viral Chawda is a principal and head of government technology at KPMG U.S. The views expressed are those of the authors alone and do not necessarily represent those of KPMG LLP.