Do you know who is accessing your networks? Can you prove that each user is properly authorized?
These are key questions that keep government IT managers up at night. In addition to employees, governments have many other types of access to manage. Citizens, contractors, and other government agencies are just a few of the groups that an administration must consider for password management. One false move in identity management could quickly lead to lost productivity, negative publicity, and national security impacts.
When it comes to improving your government security exposure, there are three barriers to overcome for effective SSO. First, you need to understand the threat posed by ungoverned employee access to the organization’s system. Second, there is a need to fulfill auditor requirements. Finally, managers need support to easily manage identity and security requirements. By addressing these barriers, your organization will be ready for tomorrow’s cybersecurity attacks.
Managing the Internal Threat: Innocent and Malicious Risks From Employees
60% of all cyber attacks were carried out by insiders – Harvard Business Review
Imagine you are in an access control role at a tax authority such as the IRS. Your organization has precious financial and personal data on millions of individuals, companies, and organizations. In the hands of the wrong person, that data may be used for fraud, blackmail, and other purposes. Unfortunately, internal employees are sometimes the greatest threat to security. Mitigating that threat requires a multi-part strategy covering hiring practices, oversight, and systems. If managers cannot easily turn employee access on and off as staff move to new jobs or leave the organization, internal risk will be increased.
Educating managers about the threats posed by employees requires a combination of tact and awareness. Start by presenting the data from other organizations about the nature of the threat. Share the good news: Many insider attacks appear to result from inadvertent aid or support. There is also a minority of cases where employees are actively supporting attacks. Those are sobering statistics for any manager to face.
The Compliance Challenge
Continuous monitoring of technical controls is the #1 cybersecurity priority for the public sector – PWC Global State of Information Security Survey 2017
Failing an audit is a painful experience that damages careers and brings unwanted scrutiny to a business unit. Internal auditors are trained to evaluate whether employee access to systems is governed and documented according to the organization’s policies and procedures. Some managers take this responsibility seriously and keep meticulous records of employee identity management. Relying on individual diligence for recordkeeping, though, is not a sound strategy for achieving consistent compliance.
Government managers also need to deal with compliance concerns due to freedom-of-information laws. If access is poorly governed, it is only a matter of time before the media and other concerned parties discover the failure. In 2017, the Identity Theft Resource Center reported that 42 government breaches have put more than 200,000 records at risk. Once access and security controls have been defeated, recovering lost and stolen data becomes tremendously difficult.
Overburdened Managers Do Not Have Capacity to Manage User Provisioning
Modern business puts significant pressure on managers to deliver results, develop people, and keep the business running. When it comes to managing people, managers have excellent resources, such as Mark Horstman’s book, “The Effective Manager,” and personality profile tools like DISC and StrengthsFinders. Unfortunately, managers are often asked to fight through archaic processes to control access. The prospect of having to send multiple emails and follow up to remove an employee’s access remains an issue in 2017. How can you make this identity process easier to manage for employees and managers alike?
Avatier simplifies identity management for government organizations. Built to exceed the security requirements of the U.S. military, Avatier takes security seriously. By equipping your organization with a single source for identity, the days of manually tracking access in spreadsheets are over.
Final Thoughts: Can You Afford a Data Breach?
Improving your identity administration is one of the easiest ways to reduce cybersecurity risk. If users can easily reset passwords and change access as needed, they will not neglect security in the name of productivity. The impact of employee-facilitated cyberattacks will also be reduced, because access will be tightly restricted. Relying on manual processes to manage user identity increases cybersecurity risk. Can you afford to take that risk?
Sources:
PWC Global State of Information Security Survey 2017 (Public Sector)
2017 Data Breach Stats
The Impact of Governance on Identity Management Programs
