Security

3 Ways for State Agencies to Protect Citizens’ Digital Identities

Those handling personally identifiable information should adopt authentication measures and invest in training their workforce.

John Wilson

John Wilson is director of sales for state and local government, education, and health care at SolarWinds.

The Improving Digital Identity Act of 2021 gives agencies the incentive and funds needed to protect citizens’ digital data. Now is the time to invest in the tools, people and processes required to achieve that objective.

When a person interacts with a state agency or healthcare provider, one of the first pieces of information the organization asks for is a driver's license or Social Security number. Over the course of a lifetime, this request is repeated whenever a person applies for government assistance or benefits, checks into a medical clinic or has any type of interaction with government.

Every time, the person gives a little more information about themselves. Personal identifiable information such as this is highly valuable and gives hackers reason to attempt to infiltrate government networks to steal that information.

Self-sovereign identity models make these transactions more secure by giving control of PII back to the individual. With SSI, a person creates a digital ID that contains only the information he or she deems necessary to share. The information can be accessed across organizations, meaning a person has to enter their information only once.

However, agencies still need a way to validate this information and keep it secure. The IDI Act legislates how to do this and gives states a budget to upgrade their systems and processes accordingly.

There are three strategies states can use to maximize these funds and improve their internal security processes to ensure citizens’ information is protected.

Click the banner to learn how your agency can better protect citizen information.

1. Implement Multifactor Authentication

MFA is now considered a best practice for identity verification, and citizens are accustomed to entering additional information when they sign in to a website. Yet, many state and local agencies haven’t introduced MFA within their own organizations because they’ve lacked the time and resources to implement the technology for anything beyond high-priority entry points.

The IDI Act makes it easier to focus on implementing this mission-critical technology. Agencies should take advantage to better protect citizens’ and government employees’ data. Beyond integrating MFA with traditional access points, such as VPNs or email, agency personnel should be prompted to provide two-factor authentication whenever they access a citizen’s PII, sign in from a remote location or perform any other internet-facing task. The Cybersecurity and Infrastructure Security Agency has a good primer on MFA, including the costs and time associated with implementation.

EXPLORE: Learn how to modernize your agency's IAM program.

2. Invest in a Cybersecurity-Focused Workforce

The cybersecurity skills gap continues to be a thorn in the side of organizations, including state and local agencies. According to a 2022 study by ISC2, 3.4 million more cybersecurity workers are needed to secure assets effectively.

Historically, the public sector has struggled to compete with the private sector’s competitive pay when it comes to tapping the cybersecurity talent pool. However, the IDI Act opens new avenues for funding, while initiatives such as the White House’s National Cyber Workforce and Education Strategy promise to help close the gap through training and development.

Indeed, there’s never been a better time to invest in a cybersecurity workforce. As cybersecurity guidance and threats evolve, state and local agencies need to consider adding to their staff to create an extended workforce for rapid incident response and proactive threat hunting. Attracting talent becomes easier with financial incentives, training and round-the-clock cybersecurity monitoring tools that can help teams quickly detect and remediate threats.

LEARN MORE: Why state CIOs are heavily focusing on cybersecurity and identity management.

3. Continuously Monitor and Update Access Rights

Managing access is often challenging for state and local agencies. Employee status changes frequently, and even in smaller organizations, it can be hard to keep track of who is joining, who is leaving or who needs permission to access certain information.

All it takes is one disgruntled former employee to cause havoc on a network and expose citizens’ PII. This makes it vitally important to continuously monitor and automatically update employees’ access rights.

Investing in technology that makes it easier to delegate and control access rights can help agencies ensure that citizens’ data does not accidentally or intentionally fall into the wrong hands. Ideally, IT managers should have complete visibility into access rights across the organization. This will allow them to quickly identify who has access to what, ensure compliance with regulations such as HIPAA and state and local laws, and adjust access privileges as necessary to mitigate potential threats.

Digital identities will eventually evolve into a standard form of identification for citizens. As that occurs, citizens will have more control over their data, and it will be better protected — if government agencies continue to do their part in keeping it secure. The IDI Act gives agencies the incentive and means to invest in the tools, people and processes necessary to achieve this objective. Organizations should not let this opportunity pass them by.

Fly View Productions/Getty Images