State and local governments hold a vast amount of personally identifiable information about their residents and these databases have become attractive targets for cyberattacks, therefore state and local governments have made various efforts to put in place security processes to protect their systems and data, according to Yvette Florez, the director of identity and access management for the State of Colorado.
“In the past couple of years, we have put in place rules and policies to reinforce the security of our data, particularly the personally identifiable information of our residents. These new measures cover everything from employee training to security audits to data disposal,” Florez said during a virtual event organized by FedInsider on June 6.
The first step to securing information systems and citizen data, according to Florez, is discovering and prioritizing sensitive data. The amount of sensitive data stored in files is growing at an exponential rate every day. To streamline efforts and minimize the impact on IT resources, a targeted approach is far more reasonable and achievable.
“We conduct comprehensive searches to flag files that contain sensitive content. This essentially enables us to prioritize efforts and exercise precision in securing the highest-risk files,” Florez said.
In addition, analyzing who has access to sensitive data allows state and local government officials to ensure a resilient security posture. To control and govern access to sensitive data, “it is critical to building out a model that correctly identifies users who have a business justification to access specific types of sensitive data,” Florez said.
“We need to automatically compare the actual state-of-access with the desired state and eliminate overentitled users regularly,” she added. “This assessment will help set the foundation of critical governing policies moving forward.”
Lastly, adding these measures does nothing if your workforce is not well-trained in the best cyber practices, Florez explained. Not giving employees the knowledge needed to spot the warning signs of a cyberattack and or what actions put sensitive data at risk puts an entire enterprise at risk.
“There’s an adage in cybersecurity that humans are the weakest link in the security chain. That’s increasingly true, as threat actors compete to exploit credulous or careless employees. But it’s also possible to turn that weak link into a formidable first line of defense,” Florez said.