5 ways to integrate risk management into government IT strategy

July 9, 20194 minute read

Select article text below to share directly to Twitter!


It’s no secret that the U.S. government is a massive target for cyber attacks. The 2018 Thales Data Threat Report: Federal Government Edition revealed that an alarming 70 percent of federal agencies have been breached, with 57 percent experiencing breaches in the preceding year.

Natural disasters are another test of the government’s IT strategy. After Hurricane Irma hit Puerto Rico, it quickly became clear that government data was not “disaster-ready” when maps with information about the locations of shelters, hospitals, and flood zones took many hours longer to access than they should have. Startling statistics like these illuminate the need for government bodies to alter their approach to building and maintaining the nation’s technical infrastructure.

Risk management is one of the most important parts of any IT strategy. This is especially true in the case of government IT, where a data breach or breakdown could leave individuals vulnerable. Development of a robust risk management strategy is a critical undertaking for IT departments, and there’s no time to waste. Here are 5 ways government IT teams can integrate risk management practices into their IT plan.

1. Conduct risk assessments

Before you can protect your organization from threats, human or natural, you have to know what the vulnerabilities are. Risk assessments are essential to protecting a network because they can identify weak spots and possible points of failure, enabling IT teams to plan and act accordingly. When budgets are tight, as they often are, knowing where to allocate resources is key. Regular and thorough risk assessments need to be a part of any IT strategy.

2. Push for employee education

The vast majority of security breaches are traceable to—if not directly caused by—human error. In fact, IBM’s 2017 Cyber Security Intelligence Index revealed that 95 percent of all security incidents involve human error. Processes and protocols are a core part of any IT strategy, but access controls and password requirements are only so useful if a government employee clicks on a phishing link or falls prey to another advanced persistent threat. All government bodies should include training for employees on best practices and security awareness.

3. Secure your print environment

Printing remains a central part of most federal workflows. Research from a GovLoop and HP reveals that each government employee prints an average of 30 pages per day, or 7,200 pages per year, and 42 percent of those surveyed said they have high-volume printing needs.

Reliance on printers, especially for classified information, makes them a significant threat vector. However, printers continue to be an area of security that is under-addressed. The above report also found that 47 percent of government employees did not believe printer security was an area of concern for their agency, and only 38 percent of respondents indicated that their organization has a security policy regarding printers.

Investing in printing security is necessary to mitigate risk. Consider upgrading to smart, modern printers that come with embedded security features like access controls, data encryption, continuous monitoring, and the capacity to self-heal from attacks.

4. Strive for complete endpoint security

Just as printers can be vulnerable endpoints, so can many other devices that are now a regular part of the workplace, like mobile and IoT devices—and they can absorb a sizable amount of IT resources. This is why a strong government IT strategy has to include device security provisions. Organizations can reduce risk with safeguards like encryption, access controls, data masking, and quarantines. Employees also need to understand the risks that unsecured WiFi presents and understand how to use tools like VPNs to keep data secure.

5. Make data disaster-ready

Whether the issue takes the form of a hurricane, an internal leak, or an attack from a foreign actor, government data has to be disaster-ready. One strategy is to conduct “data drills,” as the Office of Data Analytics in New York City does, to ensure that critical data remains agile and is always available when and where it’s needed. Every IT strategy should also incorporate a data backup and recovery plan with recovery objectives and priorities outlined. The plan should detail the roles and responsibilities of recovery team members and the steps that need to be taken.

The reality is that risks are everywhere, and the ability of government agencies to protect data is essential to the smooth functioning of the nation. All government IT strategies need to focus on risk management and find ways to integrate risk mitigation with other priorities like training, budget, and efficiency.

  • Recommended for you
  • Recommended for You