From federal agencies (whether civilian agencies or defense and intelligence agencies) to state and local governments, organizations in the public sector are advancing digital transformation to better serve constituents, protect the homeland, connect citizens with data and increase agency efficiency. Through all this change, government IT and security professionals are challenged to ensure that systems and data remain secure and protect sensitive government and citizen data, while remaining open and transparent to stakeholders.
Working both independently and in partnership with other organizations (public and private),
government organizations pursuing digital transformation to deliver mission outcomes for
constituents face some level of potential for increased risk that could impact the mission.
As agencies and their partners work to make government more accessible to citizens through online and mobile experiences, there is a risk that these activities will also make operations and data more vulnerable to cyber attacks—whether by external actors such as nation-states, activists and disgruntled citizens looking to create chaos, or by insider threats across the government workforce. Potential consequences can have major impacts including:
- Threats to national security
- Disruptions to public services, utilities and healthcare
- Privacy violations, breaches and exposure of millions of citizens' personal and financial data to criminals on the dark web
- Leaks of classified information resulting in the potential for international or domestic outrage, economic trade impact and placing armed forces in harm's way
- Election tampering that undermines voter confidence in legitimate elections
Organizations in the public sector are acutely aware of the serious nature of digital risk and are taking actions to mitigate. According to the results presented in the 2019 RSA Digital Risk Report, 68% of public sector respondents reported taking action to raise awareness internally about the possible risks of digital transformation, compared with only 58% of organizations in the private sector. This indicates that public sector organizations are outperforming private sector organizations in educating the workforce about the risks and how to protect themselves and government data and systems against bad actors.
In addition, public sector respondents identified the top three specific areas of digital risk they are most concerned about over the next two years: the risk of a cyber attack, data privacy risk and dynamic workforce risk.
Cyber Attack Risk
Mitigating cyber attacks has represented the public sector's top risk management objective for the past two years, according to the RSA Digital Risk Report. The importance of managing this risk is underscored by the FISMA Fiscal Year 2018 Annual Report to Congress from the U.S. Government Accounting Office (GAO) which shows substantial progress towards managing cyber attack risk, such as a 12% decrease in cybersecurity incidents from the previous fiscal year (35,277 in FY17). However, the report also highlights the fact that there were still over 31,107 cybersecurity incidents in FY18. This shows that federal agencies face a huge challenge in securing their information and systems from bad actors, making cybersecurity challenges a "high-risk issue" for the federal government. An even more recent GAO report listed "ensuring the cybersecurity of the nation" as one of nine high-risk areas warranting particularly focused executive and congressional attention.
Dynamic Workforce Risk
Today's public service workforce is dramatically changing. Not only are the demographics of government workers evolving as more millennials join public service, but there is also continued reliance on, and contributions from, large numbers of contractors to support missions. As in the private sector, public sector organizations are adopting more digital technologies to help their workforce be more productive and efficient at achieving mission outcomes. However, this creates a challenge for government security and risk management leaders to balance the open and fluid flow of information across devices, platforms and cloud for the diverse workforce against security command and control of resources required to protect citizen and government data.
Data Privacy Risk
Data privacy is everyone's concern. While high-profile breaches in the commercial world lead the headlines, public sector organizations are not immune. The 2019 Verizon Data Breach Investigations Report found 16% of data breaches to be in the public sector, nearly the same percentage as in healthcare. The National Law Review describes data privacy risk in the public sector as a "less discussed" risk that is moving to the forefront, especially in the wake of the 2019 breach of the Office of Personnel Management (OPM), which exposed personal data in millions of background investigation records and personnel files.
# # #
Read the new white paper, Digital Risk Is Mission Risk, to learn how digital transformation is impacting public sector organizations, agencies and departments and the associated risks that must be addressed as a result. Read the RSA Digital Risk Report 2019 to learn about the perceptions and attitudes towards risk in the digital world and take a brief assessment with the RSA Digital Risk Index and get ideas on how you can adjust your strategies as your organization takes on the digital mission.
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity
Author: Tim Norris
Category: Research and Innovation, Blog Post
Keywords: Cybersecurity, Digital Transformation, IRM, Digital Risk, Digital Risk Management, Digital Risk Report, Public Sector, Government, Mission Risk