1. Implement Multifactor Authentication
MFA is now considered a best practice for identity verification, and citizens are accustomed to entering additional information when they sign in to a website. Yet, many state and local agencies haven’t introduced MFA within their own organizations because they’ve lacked the time and resources to implement the technology for anything beyond high-priority entry points.
The IDI Act makes it easier to focus on implementing this mission-critical technology. Agencies should take advantage to better protect citizens’ and government employees’ data. Beyond integrating MFA with traditional access points, such as VPNs or email, agency personnel should be prompted to provide two-factor authentication whenever they access a citizen’s PII, sign in from a remote location or perform any other internet-facing task. The Cybersecurity and Infrastructure Security Agency has a good primer on MFA, including the costs and time associated with implementation.
2. Invest in a Cybersecurity-Focused Workforce
The cybersecurity skills gap continues to be a thorn in the side of organizations, including state and local agencies. According to a 2022 study by ISC2, 3.4 million more cybersecurity workers are needed to secure assets effectively.
Historically, the public sector has struggled to compete with the private sector’s competitive pay when it comes to tapping the cybersecurity talent pool. However, the IDI Act opens new avenues for funding, while initiatives such as the White House’s National Cyber Workforce and Education Strategy promise to help close the gap through training and development.
Indeed, there’s never been a better time to invest in a cybersecurity workforce. As cybersecurity guidance and threats evolve, state and local agencies need to consider adding to their staff to create an extended workforce for rapid incident response and proactive threat hunting. Attracting talent becomes easier with financial incentives, training and round-the-clock cybersecurity monitoring tools that can help teams quickly detect and remediate threats.
3. Continuously Monitor and Update Access Rights
Managing access is often challenging for state and local agencies. Employee status changes frequently, and even in smaller organizations, it can be hard to keep track of who is joining, who is leaving or who needs permission to access certain information.
All it takes is one disgruntled former employee to cause havoc on a network and expose citizens’ PII. This makes it vitally important to continuously monitor and automatically update employees’ access rights.
Investing in technology that makes it easier to delegate and control access rights can help agencies ensure that citizens’ data does not accidentally or intentionally fall into the wrong hands. Ideally, IT managers should have complete visibility into access rights across the organization. This will allow them to quickly identify who has access to what, ensure compliance with regulations such as HIPAA and state and local laws, and adjust access privileges as necessary to mitigate potential threats.
Digital identities will eventually evolve into a standard form of identification for citizens. As that occurs, citizens will have more control over their data, and it will be better protected — if government agencies continue to do their part in keeping it secure. The IDI Act gives agencies the incentive and means to invest in the tools, people and processes necessary to achieve this objective. Organizations should not let this opportunity pass them by.