A Guide for Assessing & Managing Data Security in the Public Sector

A Guide for Assessing & Managing Data Security in the Public Sector

The pandemic sparked many public sector entities to accelerate technology upgrades to enhance their digital service capabilities and enable employees to work remotely. The increased online access comes with heightened data security risks, making cyber risk assessment a top priority for governmental, transit, utility and educational organizations alike.

Overall, the number of cyberattacks and data breaches increased by 15% in 2021, with the average total cost per breach reaching a record high of $4.35 million.1 The public sector experienced 2,792 cybersecurity incidents in 2021 — second highest among the industries tracked in Verizon’s 2022 Data Breach Investigations Report.2 Only the professional services industry had more incidents.

Protecting your operations starts with understanding your cybersecurity risks and taking steps to mitigate them. Use the checklist below to identify cybersecurity gaps and map out your next steps.

A Cybersecurity Checklist for the Public Sector

Recognize the risks

Cybersecurity risks evolve rapidly, and public sector entities face additional complexities due to the range of motives attackers have, including financial gain, espionage, ideology and grudges. Understanding potential threats is the first step to protecting against them.

Cyberattacks are deliberate and malicious attempts by an individual or organization to breach the information system of another individual or organization. According to Verizon’s report, the top cyber crimes affecting public sector entities in 2021 were system intrusion, basic web application attacks and miscellaneous errors.2 The report also emphasizes that ransomware attacks are on the rise in the public sector.

  • System intrusion occurs when an unauthorized individual or organization gains access to a system for the purpose of stealing data or injecting malware, such as spyware or viruses.
  • Basic web application attacks focus on vulnerabilities in apps or widgets that can enable access to data captured, transmitted and processed via a company’s website.
  • Miscellaneous error-related attacks are caused by unintentional, rather than malicious, actions that compromise the security of an information asset. Examples include misconfigured servers that are accidentally exposed to the internet or emails sent to the wrong recipient.
  • Ransomware is malicious software that cyber criminals use to deny access to an organization’s systems or data until the organization pays a ransom. Ransomware attacks increased by 78% in 2021.3

Conduct regular cybersecurity audits.

Comprehensive annual cybersecurity audits are essential for effective data security. A cybersecurity audit should include detailed evaluations of current hardware, systems, laptops, customer data and intellectual property that could be affected by a cyberattack.

Use the risk assessment process to identify system vulnerabilities, including vendor systems, that would create problems if exploited. Then, determine the risk level by factoring in the probability of the vulnerability being exploited and the potential monetary or reputational damage at stake. Typically, cybersecurity risks are categorized as zero, low, medium or high.

Put a formal risk plan in place.

Based on your risk assessment, create a detailed written plan that outlines your cybersecurity strategy for protecting your data from cyberattacks, monitoring systems for attempted attacks and responding if an attack occurs. Essential elements to include in your plan are:

  • Documentation of policies and procedures involving your data, systems and servers, along with everyone who has access
  • Technical cybersecurity protections, such as software to ensure network security and manage remote access
  • Cybersecurity monitoring, including regular network penetration tests, access control reviews and physical security assessments
  • Response and recovery steps to be implemented if a cyberattack occurs

Often, public sector entities engage expert partners in the creation and execution of their cybersecurity strategies rather than build the specialized technical capabilities in-house.

Secure cyber insurance protection.

Cyber liability insurance isn’t one-size-fits-all. In the rapidly evolving threat environment, partnering with a cyber insurance expert can help public sector organizations identify the coverage they need and optimize their risk management processes.

When evaluating cyber insurance options, take a close look at the coverage provided for ransomware attacks. Make sure your policy covers extortion demands, payments and lost income resulting from an attack. It should also protect against a range of risks, including threats to:

  • Access, sell, disclose or misuse data stored on your network, including digital assets
  • Alter, damage or destroy software or programs
  • Introduce malicious software, including viruses and self-propagating code
  • Disrupt operations by impairing or restricting access
  • Deface or interfere with your organization’s website

Be vigilant about your cybersecurity.

Cybersecurity isn’t just the responsibility of your organization’s information technology (IT) department. While the IT team shoulders responsibility for the technical elements of your strategy, like firewalls, encryption and permission structures, all employees are ultimately responsible for ensuring cybersecurity. In fact, many modern cyberattacks employ sophisticated tactics aimed at exploiting human vulnerabilities.

Make training for all employees the foundation of your cybersecurity strategy. In today’s environment, experts recommend ongoing education that alerts employees to potential threats and helps them take a “verify first” approach to data requests, email attachments and clickable links.

As you navigate the cybersecurity landscape, the public sector experts at CBIZ are here to help you implement risk management strategies and protect your organization. Explore additional resources and learn about our solutions today!

1 Cost of a Data Breach Report 2022, IBM, July 2022.

2 2022 Data Breach Investigations Report, Verizon, May 2022. 

3 The State of Ransomware 2022, Sophos, April 2022.

A Guide for Assessing & Managing Data Security in the Public Sectorhttps://www.cbiz.com/Portals/0/Images/PS-November-112122-Hdr.jpg?ver=H1YbXzJmNJKN8ImyRcgRZA%3d%3dThe pandemic sparked many public sector entities to accelerate technology upgrades to enhance their digital service capabilities and enable employees to work remotely.2022-11-21T17:00:00-05:00The pandemic sparked many public sector entities to accelerate technology upgrades to enhance their digital service capabilities and enable employees to work remotely.Risk MitigationPension & Investment ManagementActuarial ServicesEmployee Benefit Plan AuditsYes