Let’s set the scene.
Back in 2015, an audit of the various departments making up the government of California showed that out of 77 agencies, 73 had failed to maintain compliance with reasonable security standards.
The findings were bleak:
- 31 departments indicated that their remediation plans would take at least two years to implement. Of them, eight indicated that their plans would take until 2020.
- Over 33% of IT officials did not fully understand the requirements of the security audit.
- Several departments blew off the audit entirely.
- The Department of Technology itself employed only 4 auditors, who could only complete 8 audits every 18 months – resulting in an impractical 20-year schedule for a full state audit process.
This report caused an uproar, and changes were promised. It’s been three years, however, and the hits keep on coming. In February 2018, the state notified thousands of former employees that a rogue IT manager had downloaded their social security numbers onto a USB drive for an unknown purpose, and then took that unencrypted data outside of the state’s secure network.
What’s Going On in State-Level Cybersecurity?
Information security is hard, and it gets harder at the state level. It’s probably unfair of us to single out California for this example (sorry, Californian readers!) but it represents a decent microcosm of the rest of US states. After all, California famously has the sixth-largest economy in the world. If it can’t get its act together in terms of information security, imagine how difficult things are in the other 49 states!
So, what exactly makes state-level cybersecurity so difficult? Here’s one example:
Around the time of the 2015 audit, California’s state representatives had proposed a new information security bill. This bill would require the state’s Department of Technology to conduct a security audit of every state agency every two years. This bill would also provide funding to hire additional auditors and secure tools for the effort – a cost of between $800,000 and $2.6 million USD per year.
Although this relatively modest investment would probably pay for itself in the long run by preventing expensive data breaches, California’s Department of Finance recommended against the bill due to its cost. Although the bill eventually passed over the department’s objections, this example illustrates how hard it is for states to accrue even a small investment in information security.
Safe-T Improves Security for States and Businesses
Safe-T lets administrators standardize security best practices over any number of far-flung agencies and departments. A relatively small number of IT staff can effectively monitor an entire organization, ensuring that every branch uses the same tools, encrypts its data the same way, and maintains the same standards for storing and transmitting critical information.
In addition, clients are able to enhance the security of their organization with unique technology known as Logical Segmentation. This enables different network segments to communicate without exposing firewall ports. In other words, various agencies could talk to one another without opening a window for attackers to eavesdrop or infiltrate their networks.
If this sound like a success you’d like to replicate, contact Safe-T today for a free trial!
*** This is a Security Bloggers Network syndicated blog from Safe-T Blog authored by Tom Skeen. Read the original post at: https://blog.safe-t.com/state-level-cybersecurity-is-hard-to-fix