The significant increase in the number of government employees working remotely has had a drastic impact on public services across the country. A rush to get employees safe and out of the office often resulted in reduced or closed government services, with the Americans who needed their help the most largely left out in the cold. Most of these problems have since abated, but it has highlighted a significant issue with the government's ability to respond in a crisis.
By shifting remote, agencies became a security risk
Remote work in some form will remain after the pandemic. Many government employees will adopt at least some hybrid form of remote work as local, state, and federal agencies seek to decrease their expenses and overhead so they can direct more resources towards constituents. With more remote work comes a need to secure those devices. Government employees especially, who often have access to classified or sensitive personal data, can't rely on weakly protected home networks.
Getting the massive amount of federal aid expected over the coming months and years to the Americans who need it most depends upon the government's ability to secure its employees' devices. There are multiple reasons for this. Information security (or infosec) standards and regulations are rigorous, and the penalties for non-compliance are hefty. Standards like NIST 800-53, NIST 800-66, HIPAA, FCRA, GLBA and DoDI 8510.01 all create numerous rules for safeguarding information like personally identifiable information (PII) or controlled unclassified information (CUI).
When employees work from home, it becomes drastically more challenging to ensure compliance with these directives. Just the simple task of keeping their devices patched and compliant becomes a burden, and it’s difficult to do asset tracking, especially during extended periods away from the enterprise network. Agencies need practical solutions to monitor employees and their devices for increased levels of risk and adjust mitigation strategies accordingly. It becomes necessary to implement a comprehensive plan for continuously assessing risk, craft honed incident response plans (and test them regularly), and create redundant safeguards to keep employees and constituent data safe.
Unfortunately, simple endpoint control isn't the only issue facing a federal workforce. Insider threats, which are some of the most dangerous and expensive vectors of cyberattack, are magnified when a significant percentage of the staff works out of the office. Government agencies need to employ solutions to verify employee devices when they’re off the enterprise network, evaluating user activity to monitor for increased risk identifiers. Government employees can inadvertently become insider threats simply as a side effect of the agency having less control over their behavior on the net, or even worse, if they mix personal and professional use on the same device. Device risk mitigation isn’t just a fancy buzzword: it’s a crucial way to secure both government data and customer information with increased work-from-home capacities. Using private sector solutions to better identify and authenticate employee devices can help create safe, secure transactions for government agencies and the Americans they serve.
Why governments need stronger endpoint security
As an industry, we must devote considerable thought to solving the problem of a workforce with access to sensitive information and all the security risks of an uncontrolled endpoint. We can’t overstate the risks. Cyberattacks continue to increase in both frequency and severity and, with a damaging enough hack, could cost taxpayers millions of dollars. There have already been numerous scams associated with the pandemic, with price tags in the billions.
With all the fraud that took place during the pandemic, we need stronger ways of verifying a customer’s identity. With today’s massive databases of fraud activity shared across industry, we now have an opportunity to make real shifts in how government agencies proof identity. Security teams can make the transactions more secure, less resource intensive, and less burdensome on all parties involved by using advanced analytics, stronger data management, and multi-factor authentication. They can scale these solutions based on the security needs of the government agency and it’s critical they are implemented before the next disaster hits.
As potentially millions of federal employees shift to a remote work or hybrid environment, cybersecurity departments in these agencies will have to tackle these problems. American taxpayers can't afford costly mistakes and leaked sensitive data. Public servants need their devices secured so they can get aid to the Americans who need it most. The government, at all levels, must do a better job to secure the devices necessary for distributing that aid.
Jonathan McDonald, executive vice president, U.S. public sector, TransUnion