10 Essentials for Protecting Data

Data security is one of the most persistent issues facing federal, state, and local governments as well as commercial enterprises today, and often is one of the most alarming.

A data hack can seemingly come out of nowhere. When it does, it immediately becomes the one, all-encompassing priority that overtakes whatever else organizations expected to be doing that day, week, or month. From ransomware and malware to denial-of-service (DoS) attacks and the notoriously annoying phishing attempts that keep popping up in inboxes, more than 3,800 publicly disclosed data breaches compromised 4.1 billion records in the first 6 months of 2019. This is according to a recent Forbes article, which noted, “even more remarkable is the fact that 3.2 billion of those records were exposed by just eight breaches.”

The severity of today’s cybersecurity threats, combined with continued stunning growth in data volumes, underscores the urgent need to protect cloud data through a com­prehensive certification such as the Federal Risk and Authorization Management Program, or FedRAMP. The government-wide program was initiated to establish a risk management, authorization, and continu­ous monitoring process for the use of cloud com­puting services.

Cybersecurity is a functional need organizations can never lose sight of, a poster child for the old, overused cliche, “it’s a journey, not a destination.”

Here are 10 issues that agencies and companies need to consider to ensure they are on the right track.

1. A Big Risk Hits Small Organizations

The first step to building a cybersecure organization is realizing all companies and agencies are at risk. For several years now, it’s been a rule of thumb among data security specialists that if organizations think they are impervious to attack, they’re actually the most vulnerable.

Here are three takeaways from the “2019 MidYear QuickView Data Breach Report” by RiskBased Security, which found that 2019 was on track to be the worst year on record for breach activity:

• The number of reported breaches grew 54% between mid-year 2018 and 2019.
• The number of exposed records jumped 52%.
• The overwhelming majority of breaches were small, exposing 10,000 or fewer records.

One reason the risk is so rampant is that smaller organizations have less time and resources to optimize their cybersecurity, making them prime pickings for data criminals.

2. Realize You’re Not Alone

The list of the top 10 data breaches hitting U.S. state and local governments shows that hackers aren’t the only problem organizations face.

“Some of the biggest and most significant government data breaches come down to human error: from lost hard drives, misconfigured databases, and physical device theft to simple mistakes that lead to millions upon millions of leaked Social Security numbers, names, addresses, voting affiliations, and other sensitive data,” Digital Guardian reported in a 2018 article. “Adding insult to injury,” it stated, “U.S. taxpayers usually end up footing the bill for the aftermath, including years of free identity theft and credit monitoring for the victims.”

Here is the Top 10 list:

• The U.S. voter database, 191 million records, December 2015
• The National Archives and Records Administration, 76 million records, October 2009
• The Department of Veterans Affairs, 26.5 million records, May 2006
• The U.S. Office of Personnel Management, 21.5 million records, June 2015
• The Virginia Department of Health Professions, 8.3 million records, May 2019
• The Office of the Texas Attorney General, 6.5 million records, April 2012
• The Georgia Secretary of State office, 6.2 million records, November 2015
• Tricare, 4.9 million records, September 2011
• The South Carolina Department of Revenue, 3.6 million records, October 2012
• The State of Texas, 3.5 million records, April 2011

The list leaves out commercial data breaches such as the well-publicized Target hack (2013) that helped bring cybersecurity to the attention of managers everywhere. It also reveals two critical points: Data loss has been going on for a long time and it affects respected, established organizations that were credible before and after their breaches. The objective is not to single them out, but to address an issue that affects every company and every government agency at every level.

3. Upgrades Deliver Better Cybersecurity

It’s a mistake to postpone an organization’s cybersecurity planning, but it’s easy to understand how it happens.

Planning costs money and soaks up valuable time to change something as fundamental as the way an organization protects its IT systems. However, it costs far more to leave legacy systems in place and vulnerable. There may be many reasons for an agency or company to upgrade its ERP and associated systems—and as those reasons accumulate into an irresistible need, enhanced security is one of the most important gains expected from modernizing software.

In the end, enhanced data security is one of the best reasons to break away from old, obsolete systems that have probably been in place for far too long, and that can’t begin to meet the latest compliance standards. At a time when companies and public agencies are looking to maximize efficiency and reduce costs, financial and program management software is stretching to track operations across multiple platforms, and supply chains are becoming more complex, cybersecurity is just one of many compelling reasons to upgrade.

4. Security Across Your Supply Chain

Today’s cybersecurity challenges extend beyond in-house systems, which are as strong as their weakest link.

One of the enduring lessons of the Target data breach was that it originated with a vendor so small that it almost certainly wasn’t on the security team’s radar—until that small company’s vulnerability became an entry point to the retail giant’s business. In an era of unprecedented complexity, supply chains likely originate 80% of the data that organizations rely on to deliver on their missions. A company or agency securing its own system is just the essential first step. The next challenge is to extend that protective umbrella to every piece of external data that enters its system.

5. A New Wave of Opportunity Awaits

The good news is that it isn’t all about threats and potential loss. Enhanced cybersecurity is just one of the advantages organizations tap into when they move their operations into the cloud.

The emergence of smart city strategies is opening the door to wider collaboration, coordination, and optimization across service areas, agencies, and levels of government.

Internet of Things (IoT) technology offers a wealth of sensor data to optimize operations and capture the most granular updates on equipment performance and material flows.

Cloud-based asset management systems help maximize the performance and extend the operating life of expensive and often-specialized capital equipment and property.

Across every aspect of a business, cloud computing offers greater access and efficiency with routine, seamless updates that keep operations more current than any on-premise system. But it’s only safe to make the move if businesses and agencies have a reliable, secure pathway for bringing all of that data to the cloud.

6. Older IT Isn’t Up to the Challenge

The benefits of modern IT infrastructure are just one upgrade away and the need is acute. We constantly hear from CFOs and CIOs whose legacy systems fall short of organizational objectives, are often out-of-date, and frequently hamper efficient operations.

Those issues reflect an ongoing risk to operations posed by legacy systems that are familiar to agencies and companies. Every single day, those systems eat away at an organization’s effectiveness, blocking performance improvement, limiting access to best practices, isolating it from emerging technologies, and failing to deliver the ease of use that the next generation of millennial employees expects on the job.

7. FedRAMP Delivers Data Safety and Security

FedRAMP is a one-stop resource for governments at all levels as well as regulated companies that are intent on keeping their data safe and secure. Its primary mission is to keep federal data and U.S. citizens safe in an environment of ever-escalating threats. The program is also open to state and local governments and commercial enterprises that are prepared to leverage its stringent authorization process to increase security, confidence, and innovation in their own cloud strategies.

AI, machine learning, and IoT have the potential to transform organizations’ missions and drive business success—but cloud migration is a necessary first move. FedRAMP authorization ensures that every layer of an organization’s IT structure, from the operating system to industry-specific applications and data analytics, is continuously monitored and assessed, and that new innovations are quickly integrated into a secure architecture.

8. New Expectations for Contractors

The Department of Defense is working to protect controlled unclassified information within the supply chain and contractor networks. Expected to begin appearing as a requirement in 2020, the Cybersecurity Maturity Model Certification establishes five levels of progressively rigorous security controls that operate across 14 different control families based on standards such as NIST SP 800-171, NIST SP 800-53, and ISO 27001. According to Government Computer News, a FedRAMP authorization may satisfy many of the CMMC requirements. Both programs have similar control families—including access control to awareness and training, security assessment, and system and information integrity. Building a deliberate, integrated framework will ensure that an organization’s vendors and partners are onboard with the plan as it embarks on its cybersecurity journey.

9. New Expectations from Users

Another reason to embrace a more cybersecure architecture is that an organization’s clients, customers, and stakeholders are demanding it.

In 2018, a survey of 374 Infor customers across multiple industries listed innovation, security and compliance, performance and scalability, user experience and adoption, and total cost of ownership as the five top reasons to move to the cloud. Most of the arguments against the transition had to do with system security—which is precisely where FedRAMP comes in. The certification is so comprehensive that organizations’ data is probably more at risk in an internal, on-premise system than in a state-of-the-art cloud environment. The longer a company delays the transition, the more serious that risk becomes.

10. Getting the Transition Done

If an agency or company is thinking of FedRAMP authorization for its own operations, the first thing to understand is that it won’t be out there alone.

Experienced, third-party cybersecurity advisors are available to guide the process. Once the system is in place, a third-party assessment organization (3PAO) conducts an independent audit to ensure that the organization’s security controls meet FedRAMP requirements, while assisting with document development and providing ad hoc engineering support as needed. Both of these highly trained professionals are paid by the cloud services provider the company selects to house its data.